(19)
(11) EP 0 899 907 B1

(12) EUROPEAN PATENT SPECIFICATION

(45) Mention of the grant of the patent:
01.02.2006 Bulletin 2006/05

(21) Application number: 98250304.7

(22) Date of filing: 27.08.1998
(51) International Patent Classification (IPC): 
H04L 9/30(2006.01)
G06F 7/72(2006.01)

(54)

Apparatus for processing bivectors and encrypting system including the same

Vorrichtung zur Verarbeitung von Bivektoren und Verschlüsselungssystem unter Verwendung desselben

Dispositif de traitement de bivecteurs et système de chiffrage utilisant ce dispositif


(84) Designated Contracting States:
DE FR GB

(30) Priority: 28.08.1997 JP 23252897

(43) Date of publication of application:
03.03.1999 Bulletin 1999/09

(73) Proprietor: NEC CORPORATION
Tokyo (JP)

(72) Inventor:
  • Arita, Seigo
    Minato-ku, Tokyo (JP)

(74) Representative: Wenzel & Kalkoff 
Grubes Allee 26
22143 Hamburg
22143 Hamburg (DE)


(56) References cited: : 
   
  • HARASAWA R ET AL: "A FAST JACOBIAN GROUP ARITHMETIC SCHEME FOR ALGEBRAIC CURVE CRYPTOGRAPHY" IEICE TRANSACTIONS ON FUNDAMENTALS OF ELECTRONICS, COMMUNICATIONS AND COMPUTER SCIENCES, INSTITUTE OF ELECTRONICS INFORMATION AND COMM. ENG. TOKYO, JP, vol. E84-A, no. 1, 1 January 2001 (2001-01-01), pages 130-139, XP001006531 ISSN: 0916-8508
  • VOLCHECK E J: "Computing in the Jacobian of a Plane Algebraic Curve" SPRINGER-VERLAG, LECTURE NOTES IN COMPUTER SCIENCE; ALGORITHMIC NUMBER THEORY SYMPOSIUM, ANTS-I, 9 May 1994 (1994-05-09), pages 221-233, XP001032842 Ithaca, NY, USA ISBN: 3-540-58691-1
  • MING-DEH HUANG ET AL: "EFFICIENT ALGORITHMS FOR THE RIEMANN-ROCH PROBLEM AND FOR ADDITION IN THE JACOBIAN OF A CURVE" PROCEEDINGS OF THE ANNUAL SYMPOSIUM ON FOUNDATIONS OF COMPUTER SCIENCE. SAN JUAN, PUERTO RICO, OCT. 1 - 4, 1991, LOS ALAMITOS, IEEE. COMP. SOC. PRESS, US, vol. SYMP. 32, 1 October 1991 (1991-10-01), pages 678-687, XP000326135 ISBN: 0-8186-2445-0
  • KOBLITZ N: "HYPERELLIPTIC CRYPTOSYSTEMS" JOURNAL OF CRYPTOLOGY, SPRINGER VERLAG, NEW YORK, NY, US, vol. 1, no. 3, 1989, pages 139-150, XP000957856 ISSN: 0933-2790
   
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

BACKGROUND OF THE INVENTION


FIELD OF THE INVENTION



[0001] The invention relates to encryption techniques for data security, and more particularly to a system for distributing a public key for network users to share a secret key through the use of a public key, a public key encryption system such as an El-Gamal type encryption system for network users to make a mutual secret communication through the use of a public key, and an El-Gamal type verification system, which is one of electronic signature systems, for network users to verify a correspondence and/or a transmitter, and apparatuses for operating a bivector, to be used for those systems, such as an apparatus for multiplying a bivector by an integer.

DESCRIPTION OF THE RELATED ART



[0002] Various techniques belonging to a public key encryption system wherein secret communication is made in open network base security thereof on difficulty in solving an issue of a discrete logarithm in a finite field GF(p) are known.

[0003] For instance, a system of distributing DH type public key having been suggested by W. Diffie and M. Hellman, New directions in cryptography, IEEE, Trans. Inf. Theory, IT-22, 6, pp. 644-654, and El-Gamal cryptography and signature systems having been suggested by T. E. El-Gamal, A public key cryptosystem and a signature scheme based on discrete logarithm, Proc. Crypto 84, 1984, base security thereof on the fact that an issue of a discrete logarithm in a finite field GF(p) is quite difficult to solve.

[0004] Hereinbelow is explained the issue of a discrete logarithm in a finite field GF(p). It is now supposed that p indicates a prime number, and that GF (p) operates an integer N equal to or greater than 0, but smaller than p (N = 0, 1, 2, ----, p-1), with the prime number being used as a modulo. It is also supposed that the following equation is established.

In the equation, α indicates a certain fixed primitive root of GF(p). That is, elements of GF(p), 1, 2 ---, p-1, other than 0 can be represented in the form of αK where K indicates a certain number. Under those suppositions, X is called a logarithm ofY in GF(p) with the prime number p acting as a base.

[0005] It is easy to calculate Y on the basis of X. Specifically, what is required to do so is to merely conduct multiplication by the number of 2 × log2 X. To the contrary, it is quite difficult to calculate X on the basis of Y, even if there would be employed an algorithm which is best among presently known algorithms. The amount of calculation for obtaining X on the basis of Y is almost the same as the amount of calculation for prime factor factorization of a composite number having almost the same magnitude as that of the prime number p. A difficulty in calculating X on the basis ofY is called a discrete logarithm problem.

[0006] In accordance with the above-mentioned DH type public key distribution system, a first user A and a second user B can share a common key K, which is secret data, with the common key K being kept secret to others, even though open network is utilized. This is based on the fact that the above-mentioned discrete logarithm problem is quite difficult to solve.

[0007] A prime number p and a primitive root α are in advance informed to others as open data. The first user A randomly selects an integer XA in the range of 0 and (p-1), and the thus selected integer XA is kept secret. Similarly, the second user B randomly selects an integer XB in the range of 0 and (p-1), and the thus selected integer XB is kept secret. The first user A calculates the following equation.

[0008] YA = αXA mod p (1≦YA≦p-1) ("XA" means "XA". The same applies to "XB", "XU" etc., hereinbelow.)
Then, the first user A transmits a calculation result YA to the second user B. Similarly, the second user B calculates the following equation.

Then, the second user B transmits a calculation result YB to the first user A.

[0009] After the calculation results YA and YB have been exchanged, the first user A calculates the common key K, as follows.

Similarly, the second user B calculates the common key K, as follows.



[0010] Thus, the first and second users A and B can share the common key K (K = αXAXB mod p) in secret.

[0011] Thereafter, the first and second users A and B can make secret communication therebetween through the use of the common key K. In the above-mentioned procedure, only the calculation results YA and YB are on open network. Since it would be necessary to solve the discrete logarithm problem in order to obtain the integers XA and XB both of which are secret data, a third party cannot know the common key K on the premise that the discrete logarithm problem is quite difficult to solve.

[0012] In accordance with the above-mentioned El-Gamal encryption system, it is possible to make a secret communication on open network as follows, based on the fact that the discrete logarithm problem is difficult to solve.

[0013] A prime number p and a primitive root α are in advance informed to others as open data. Each of users U randomly selects an integer XU, and the thus selected integer XU is kept secret. In addition, each of users U calculates the following equation.

Then, each of users U transmits the calculation result YU to other users as a public key.

[0014] Herein, it is supposed that a first user A transmits a correspondence M to a second user B in secret. First, the first user A makes the following ciphers C1 and C2 through the use of a random number K which only the first user A knows, and a public key YB of the second user B.





[0015] Then, the first user A transmits the ciphers C1 and C2 to the second user B. The second user B having received the ciphers can obtain the correspondence M by calculating the following equation through the use of an integer XB which only the second user B knows.



[0016] In the above-mentioned El-Gamal encryption system, only the ciphers C1 and C2 are on open network. Since it would be necessary to solve the discrete logarithm problem in order to obtain the random number K and the correspondence M both of which are secret data, a secret communication can be made on the premise that the discrete logarithm problem is quite difficult to solve.

[0017] In accordance with the above-mentioned El-Gamal signature system, electronic signature can be accomplished as follows, based on the fact that it is quite difficult to solve the discrete logarithm problem.

[0018] A prime number p and a primitive root α are in advance informed to others as open data. A certifier U randomly selects an integer XU as a signature key, and the thus selected integer XU is kept secret. In addition, the certifier U calculates the following equation.

Then, the certifier U discloses the calculation result YU to others as a verification key.

[0019] Herein, it is supposed that a verifier V verifies a signature made to a correspondence M of the certifier U. First, the certifier U makes the following signatures R and S through the use of a random number K which only the certifier U knows, and a signature key XU of the certifier U itself.





[0020] Then, the certifier U transmits a correspondence M together with the signatures R and S to the verifier V. The verifier V having received the signatures R and S verifies whether the following equation is established through the use of a verification key Yu of the certifier U.



[0021] In the above-mentioned El-Gamal signature system, only the correspondence M and the signatures R and S are on open network. Since it would be necessary to solve the discrete logarithm problem in order to obtain the signature key XU which is secret data, it would be quite difficult or almost impossible for a person other than the certifier U to impersonate the certifier U, and hence, electronic signature can be accomplished on the premise that the discrete logarithm problem is quite difficult to solve.

[0022] As explained so far, most of the public key encryption systems base its security on the fact that the discrete logarithm problem in a finite field GF(p) is difficult to solve. However, recent development in a super computer and various arithmetic algorithms are making it possible to solve the discrete logarithm problem in a finite field GF(p) with a relatively small amount of calculation.

[0023] As a countermeasure thereto, it is recommended to employ a prime number p having 1024 bit, namely, having an order of about 300 or greater in decimalism. However, it would be necessary to prepare a large-scale circuit for finite field operation in order to make an operation on a finite field GF(p), using a prime number p having about 300 or more orders. This prevents various techniques in a public key encryption system from being put to practical use.

[0024] VOLCHECK E J: "Computing in the Jacobian of a Plane Algebraic Curve" SPRINGER-VERLAG, LECTURE NOTES IN COMPUTER SCIENCE; ALGORITHMIC NUMBER THEORY SYMPOSIUM, ANTS-I, 1994, pages 221 - 233 describes an algorithm for carrying out the addition operation in the Jacobian variety of a plane algebraic curve defined over an algebraic number field K with arbitrary singularities, representing singularities using analytic rather than algebraic means.

[0025] MING-DEH HUANG ET AL: "EFFICIENT ALGORITHMS FOR THE RIEMANN-ROCH PROBLEM AND FOR ADDITION IN THE JACOBIAN OF A CURVE", IEEE. COMP. SOC. PRESS, US, vol. SYMP. 32, 1991, pages 678 - 687 describes an algorithm for addition on the Jacobian of a curve in general, given a plane model of the curve with only ordinary multiple points.

[0026] KOBLITZ N: "HYPERELLIPTIC CRYPTOSYSTEMS" JOURNAL OF CRYPTOLOGY, SPRINGER VERLAG, NEW YORK, NY, US, vol. 1, no. 3, 1989, on pages 139 - 150 describes an algorithm for addition for groups obtained from the Jacobians of hyperelliptic curves defined over finite fields and its application to public key cryptosystems.

SUMMARY OF THE INVENTION



[0027] It is the object of the present invention to provide an apparatus for making an addition operation, in particular to be used for an encryption system, and/or for other various techniques for accomplishing a public key encryption system in a smaller scale.

[0028] The invention solves this object by the features of claim 1. Preferred features are given in the dependent claims.

[0029] As explained, the conventional public key encryption systems are based on the fact that it is quite difficult or almost impossible to solve the discrete logarithm problem of a finite field, more accurately, of multiplicative group of a finite field. One principle of the present invention is that the Jacobian group of algebraic curves in a finite field is employed in place of multiplicative group a finite field.

[0030] Hereinbelow is explained the Jacobian group of algebraic curves. Any algebraic curve has a characteristic comprised of a positive integer called a genus. It is now supposed that a curve A has a genus G. It is now possible to define an addition among a set of any G number of points on the curve A as follows. There are defined the following two sets Q1 and Q2 each composed of the G number of points on the curve C.





[0031] A curve B is defined as a curve having the smallest degree among curves passing all points belonging to the sets Q1 and Q2. The thus defined curve B intersects with the curve A at another G number of points as well as points belonging to the sets Q1 or Q2. The another G number of points are defined as H1, H2, ---, HG Herein, a curve C is defined as a curve having the smallest degree among curves passing through all the G number of points, H1, H2, ---, HG. The thus defined curve C intersects with the curve A at another G number of points, R1, R2, ---, RG as well as the G number of points, H1, H2, ---, HG. An addition of the sets Q1 and Q2 makes Y = {R1, R2, ---, RG}.

[0032] A set of any G number of points on the curve A wherein an addition is defined as mentioned above is called the Jacobian group of the curve A in a finite field GF(p). A number of elements of the Jacobian group, namely, a number of sets each composed of any G number of points on the curve A is equal to about pG. An arithmetically detailed explanation is made, for instance, by J. H. Silverman, The Arithmetic of Elliptic Curves, Springer-Verlag, 1986.

[0033] In order to accomplish various techniques belonging to a public key encryption system, which have sufficient strength with respect to cryptography, it is necessary to use a group having a sufficient number of element, even if the multiplicative group in a finite field or the Jacobian group of algebraic curves were employed. Generally, a number of elements of multiplicative group in a finite field GF(p) is equal to (p-1), whereas a number of elements of the Jacobian group of algebraic curves having a genus G in a finite field GF(p) is equal to about pG. Accordingly, if the Jacobian group of algebraic curves having a genus G in a finite field is employed in place of multiplicative group of a finite field, it would be possible to make an order of p in a finite field GF(p) about 1/G smaller than an order of p obtained when multiplicative group of a finite field is employed, on the assumption that the strength with respect to cryptography is kept at the same level, namely, a number of elements in groups to be used is kept almost the same.

[0034] Thus, various techniques of a public key encryption system in accordance with the present invention make it possible to employ a smaller-sized finite field without reduction in a strength with respect to cryptography, which ensures that sufficient strength with respect to cryptography can be accomplished by means of a smaller-sized apparatus at less costs.

BRIEF DESCRIPTION OF THE DRAWINGS



[0035] 

Fig. 1 is a block diagram of an apparatus for summing bivectors, in accordance with an embodiment of the present invention.

Fig. 2 is a flow chart of the apparatus for summing bivectors, illustrated in Fig. 1.

Fig. 3 is a block diagram of a device for converting a point-set, employed in the apparatus for summing bivectors, illustrated in Fig. 1.

Fig. 4 is a flow chart of the device for converting a point-set, illustrated in Fig. 3.

Fig. 5 illustrates a data format of a parameter defining a curve.

Fig. 6 is a flow chart of a device for operating a common curve.

Fig. 7 is a flow chart of a device for operating an intersection-set.

Fig. 8 is a block diagram of an apparatus for doubling a bivector, in accordance with an embodiment of the present invention.

Fig. 9 is a flow chart of the apparatus for doubling a bivector, illustrated in Fig. 8.

Fig. 10 is a block diagram of an apparatus for multiplying a bivector by an integer, in accordance with an embodiment of the present invention.

Fig. 11 is a flow chart of the apparatus for multiplying a bivector by an integer, illustrated in Fig. 10.

Fig. 12 is a block diagram of a system for distributing a public key, in accordance with an embodiment of the present invention.

Fig. 13 is a block diagram of an example of a center partially constituting the system for distributing a public key, illustrated in Fig. 12.

Fig. 14 is a block diagram of an example of a user terminal partially constituting the system for distributing a public key, illustrated in Fig. 12.

Fig. 15 is a flow chart of the system for distributing a public key, illustrated in Fig. 12.

Fig. 16 is a block diagram of an El-Gamal type encryption system in accordance with an embodiment of the present invention.

Fig. 17 is a block diagram of an example of a center partially constituting the El-Gamal type encryption system illustrated in Fig. 16.

Fig. 18 is a block diagram of an example of a user terminal partially constituting the El-Gamal type encryption system illustrated in Fig. 16.

Fig. 19 is a flow chart of the El-Gamal type encryption system illustrated in Fig. 16.

Fig. 20 is a block diagram of an El-Gamal type signature system in accordance with an embodiment of the present invention.

Fig. 21 is a block diagram of an example of a center partially constituting the El-Gamal type signature system illustrated in Fig. 20.

Fig. 22 is a block diagram of an example of a certifier terminal partially constituting the El-Gamal type signature system illustrated in Fig. 20.

Fig. 23 is a block diagram of an example of a verifier terminal partially constituting the El-Gamal type signature system illustrated in Fig. 20.

Fig. 24 is a flow chart of the El-Gamal type signature system illustrated in Fig. 20.


DESCRIPTION OF THE PREFERRED EMBODIMENTS



[0036] In the preferred embodiments in accordance with the present invention, there is employed the Jacobian group of algebraic curves having a genus G in a finite field GF(p), in place of multiplicative group in a finite field. As mentioned earlier,the Jacobian group of algebraic curves having a genus G in a finite field GF(p) is comprised of point-sets {P1, P2, ---, PG} each composed of G number of points on a curve, and is represented as the following row where coordinate values of points are arranged.

[0037] [(x(P1), y(P1)), (x(P2), y(P2)), ---, (x(PG), y(PG))] wherein x(Pi) indicates an X-axis coordinate of a point Pi, and y(Pi) indicates a Y-axis coordinate of a point Pi.

[0038] Thus, if a vector comprising a plurality of pairs of elements selected from a finite field is called a bivector, each of the elements in the Jacobian group can be represented with a bivector or bivectors. A public key encryption system in accordance with the present invention is comprised of an apparatus for operating a bivector in a finite field.

[Apparatus for summing bivectors]



[0039] Hereinbelow is explained an apparatus for summing bivectors, in accordance with an embodiment of the present invention.

[0040] An apparatus for summing bivectors in accordance with the embodiment operates and outputs a bivector X3, when bivectors X1 and X2 each comprising a plurality of pairs of elements selected from a predetermined finite field are supposed to be coordinate value rows of points in point-sets Q1 and Q2 on a curve defined with a parameter A, respectively, comprised of coordinate value row of points in a point-set Q3 equal to a sum of the point-sets Q1 and Q2 in the Jacobian group of the curve defined with the parameter A.

[0041] This apparatus can be accomplished in a computer.

[0042] Fig. 1 is a block diagram of the apparatus for summing bivectors in accordance with the embodiment. Fig. 2 is a flow chart of the apparatus for summing bivectors, illustrated in Fig. 1. Fig. 3 is a block diagram of an example of a point-set conversion apparatus. Fig. 4 is a flow chart of the point-set conversion apparatus illustrated in Fig. 3.

[0043] The apparatus for summing bivectors, illustrated in Fig. 1, is comprised of a first device 11 for calculating a union-set, a second device 12 for converting a point-set, a memory 13, a fourth device 14 for inputting data therethrough, a fifth device 15 for outputting results therethrough, and a central processing unit (CPU) 16.

[0044] The fourth device 14 receives bivectors X1 and X2, and a parameter A defining a curve, and transmits them to CPU 16.

[0045] The memory 13 includes a first storage file for storing the bivector X1 therein, a second storage file for storing the bivector X2 therein, a third storage file for storing the parameter A therein, a fourth storage file for storing a bivector T1 therein, and a fifth storage file for storing a bivector T2 therein.

[0046] The first device 11 for calculating a union-set receives the bivector X1 from the first storage file, the bivector X2 from the second storage file, and the parameter A from the third storage file, and operates the bivector T1 which, when the bivectors X1 and X2 are supposed to be coordinate value rows of points in point-sets on a curve defined with the parameter A, respectively, is comprised of coordinate value row of points in a union-set of those point-sets indicated by X1 and X2.

[0047] The second device 12 for converting a point-set receives the bivector T1 from the fourth storage file, and the parameter A from the third storage file, and operates the bivector T2 which, when the bivector T1 is supposed to be a coordinate value row of points on a curve defined with the parameter A, is comprised of a coordinate value row of points in the point-set representing the inverse of the point-set indicated by T1 in the Jacobian group of the curve defined with the parameter A.

[0048] The second device 12 further receives the bivector T2 from the fifth storage file, and the parameter A from the third storage file, and operates a bivector X3 which, when the bivector T2 is supposed to be the coordinate value row of points on a curve defined with the parameter A, is comprised of the coordinate value row of points in the point-set representing the inverse of the point-set indicated by T2 in the Jacobian group of the curve defined with the parameter A.

[0049] The fifth device 15 for outputting results outputs the thus operated bivector X3.

[0050] The central processing unit 16 controls the first device 11, the second device 12, the memory 13, the fourth device 14, and the fifth device 15.

[0051] As illustrated in Fig. 3, the second device 12 for converting a point-set is comprised of a first device 21 for operating a common curve, a second device 22 for operating an intersection-set, a third device 23 for operating a difference-set, a memory 24, a fifth device 25 for inputting signals therethrough, a sixth device 26 for outputting operation results therethrough, and a central processing unit (CPU) 27.

[0052] The fifth device 25 receives the bivector T1, and the parameter A for defining a curve, and transmits them to the central processing unit 27.

[0053] The memory 24 includes a first storage file for storing the bivector T1 input through the fifth device 25, a second storage file for storing the parameter A input through the fifth device 25, a third storage file for storing an operated parameter B therein, and a fourth storage file for storing an operated bivector S1 therein.

[0054] The first device 21 for operating a common curve receives the bivector T1 from the first storage file, and the parameter A from the second storage file, and operates a parameter B of a curve which, when the bivector T1 is supposed to be coordinate value row of points on a curve defined with the parameter A, passes through all points belonging to the point-sets.

[0055] The second device 22 for operating an intersection-set receives the parameter B from the third storage file, and the parameter A from the second storage file, and operates a bivector S1 comprised of the coordinate value row of points in an intersection between a curve defined with the parameter A and a curve defined with the parameter B.

[0056] The third device 23 for operating a difference-set receives the bivector T1 from the first storage file, and the bivector S1 from the fourth storage file, and operates a bivector T2 which, when the bivectors T1 and S1 are supposed to be coordinate value rows of points on a curve defined with said parameter A, respectively, is comprised of a coordinate value row of points in a point-set obtained by subtracting a point-set indicated by the bivector T1 from a point-set indicated by the bivector S 1.

[0057] The sixth device 26 outputs the thus operated bivector T2.

[0058] The central processing unit 27 controls the first device 21, the second device 22, the third device 23, the memory 24, the fifth device 25, and the sixth device 26.

[0059] The central processing unit 16, the fourth device 14, the fifth device 15, and the memory 13 all illustrated in Fig. 1 may double as the central processing unit 27, the fifth device 25, the sixth device 26, and the memory 24, respectively. In addition, the bivector T1 and the parameter A both stored in the memory 13 illustrated in Fig. 1 may be employed without employing the bivector T1 and the parameter A which have been input through the fifth device 25 illustrated in Fig. 3.

[0060] Hereinbelow is explained the operation of the apparatus for summing bivectors, illustrated in Figs. 1 and 3. Herein, it is supposed that a curve defined by the equation y3 = x4 + 1 on a finite field GF(17) is employed.

[0061] In the apparatus for summing bivectors, illustrated in Fig. 1, it is supposed that the fourth device 14 receives two bivectors X1 and X2 on a finite field GF(17) having an order number of 17, and a parameter A defining the curve y3 = F(x) = x4 + 1 on the finite field GF(17). The data format of the parameter A is as shown in Fig. 5. The bivectors X1 and X2, and the parameter A are represented as follows.







[0062] The central processing unit 16 temporarily stores the bivectors X1 and, X2, and the parameter A transmitted from the fourth device 14, in the memory 13. Then, the central processing unit 16 receives the bivectors X1 and X2 from the first and second storage files, respectively, and transmits them to the first device 11 for calculating a union-set.

[0063] The first device 11 for calculating a union-set considers the bivectors X1 and X2 as coordinate value rows of points on the curve, respectively, and calculates a union-set of them. That is, the first device 11 considers the bivector X1 as a set composed of three points (0, 1), (1, 8) and (2, 0), and the bivector X2 as a set composed of three points (3, 10), (4, 8) and (5, 10), and calculates a union-set of the bivectors X1 and X2 to thereby obtain a set, {(0, 1), (1, 8), (2, 0), (3, 10); (4, 8), (5, 10)}. Then, the first device 11 outputs the bivector T1 associated the thus obtained set, namely, the bivector T1 represented with ((0, 1), (1, 8), (2, 0), (3, 10), (4, 8), (5, 10)).

[0064] Then, the central processing unit 16 temporarily stores the bivector T1 transmitted from the first device, in the memory 13.

[0065] Then, the central processing unit 16 receives the bivector T1 from the fourth storage file, and the parameter A from the third storage file, and transmits them to the second device 12 for converting a point-set. The second device 12 makes an operation as follows to thereby output the bivector T2 which, when the bivector T1 is supposed to be coordinate value row of points on a curve defined with the parameter A, is comprised of the coordinate value row of points in a point-set indicative of the inverse of the point-set indicated by T1 in the Jacobian group of the curve defined with the parameter A.

[0066] An operation made by the second device 12 for converting a point-set is explained hereinbelow with reference to Fig. 3.

[0067] In the point-set conversion device 12, the fifth device 25 receives the bivector T1 and the parameter A, and transmits them to the central processing unit 27. Then, the central processing unit 27 temporarily stores the bivector T1 and the parameter A in the memory 24. If the calculation result made by the first device 11 for calculating a union-set is stored in the memory 13, the calculation result may be read out.

[0068] Then, the central processing unit 27 receives the bivector T1 from the fourth storage file, and the parameter A from the third storage file, and transmits them to the first device 21 for operating a common curve. The first device 21 makes an operation as follows to thereby output the parameter B defining a curve passing through all points belonging to a point-set represented by the bivector T1 as well as a degree of duplication, in the form of the data format illustrated in Fig. 5.

[0069] The operation made by the first device 21 for operating a common curve is explained hereinbelow with reference to Fig. 6.

[0070] First, in step 61, the first device 21 reads out the degree, 3, of y and the degree, 4, of x from the parameter A = (3, 4, -1, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1) having been input thereinto. Then, supposing that i indicates an integer equal to or greater than 0, and j indicates an integer in the range of 0 to 2 both inclusive, the first device 21 determines the weight of 3i + 4j for a monomial xiyj consisting of indeterminate elements x and y.

[0071] Then, the common curve operation device 21 calculates a number of elements of a point-set {(0, 1), (1, 8), (2, 0), (3, 10), (4, 8), (5, 10)} represented by the bivector T1 in step 62. As a result, there is obtained 6 as the number of elements. Then, seven elements (6 + 1 =7) having the minimum weights are selected from the above-mentioned monomial xiyj (i≧0, 0≦j≦2). As a result, there are obtained seven elements (1, x, y, x2, xy, y2, x3). Then, there is established a linear combination (a + bx + cy + dx2 + exy + fy2+ gx3) through the use of undetermined coeffcients (a, b, c, d, e, f, g) of the thus selected monomial (1, x, y, x2, xy, y2, x3).

[0072] Then, the first device 21 for operating a common curve introduces coordinate values of points included in the point-set {(0, 1), (1, 8), (2, 0), (3, 10), (4, 8), (5, 10)} represented by the bivector T1, into the above-mentioned linear combination (a + bx + cy + dx2 + exy + fy2 + gx3) to thereby have the following linear equation system, in step 63.













[0073] Then, the first device 21 for operating a common curve solves the above-mentioned linear equation system in step 64 to thereby determine the above-mentioned undetermined coefficients as follows



[0074] Then, the first device for operating a common curve puts the degrees (2, 3) of x and y at the head of the thus determined undetermined coefficients (8, 4, 14, 4, 16, 12, 13) to thereby have the parameter B = (2, 3, 8, 4, 14, 4, 16, 12, 13), and outputs the parameter B.

[0075] Then, in Fig. 3, the central processing unit 27 temporarily stores the parameter B transmitted from the first device 21 as an output, in the memory 24. Then, the central processing unit 27 receives the parameter B from the third storage file, and the parameter A from the second storage file, and transmits them to the second device 22 for operating an intersection-set.

[0076] The second device 22 makes the following operation to thereby output the bivector T2 comprised of the coordinate value row of points in an intersection between a curve defined with the parameter A and a curve defined with the parameter B.

[0077] The operation made by the second device 22 for operating an intersection-set is explained hereinbelow with reference to Fig. 7.

[0078] In step 71, the second device 22 establishes an equation f (x, y) = y3 - x4 - 1= 0 which defines a curve, based on the parameter A = (3, 4, -1, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1) input thereinto, and further establishes an equation g (x, y) = 8 + 4x + 14y + 4x2 + 16xy + 12y2 + 13x3 = 0 which defines a curve, based on the parameter B = (2, 3, 8, 4, 14, 4, 16, 12, 13) input thereinto. Then, a resultant equation of f (x, y) and g (x, y) with respect to y is calculated by developing the following determinant.

As a result, there is obtained a polynomial s (x) = 16x + 2x2 + 13x3 + 13x4 + 10x5 + 2x6 + 8x8 + 4x9. A resultant equation is detailed, for instance, in "Introduction to Algebraic Geometry" by Van der Werden, Springer-Verlag, Tokyo.

[0079] Then, the second device 22 for operating an intersection-set obtains solutions to s (x) = 0 in step 72. Namely, the solutions are x1 = 0, x2 = 13, x3 = 5, x4 = 4, x5 = 3, x6 = 2, x7 = 1, x8 = α1, and x9 = α2. Herein, α1 and α2 are solutions to a quadratic irreducible equation 16 + 13x + x2 = 0.

[0080] Then, in step 73, the second device 22 calculates a greater common equation ti (y) among f (xi, y) and g (xi, y) for all the obtained solutions xi, to thereby obtain all solutions y = yi,1, ----, yi,mi to an equation ti (y) = 0.

[0081] That is, since x1 is equal to zero (x1 = 0) when i is equal to 1 (i =1), there is obtained (16 + y) by calculating a greater common equation among f (0, y) and g (0, y). Then, there is obtained y1,1 = 1 by solving 16 + y = 0.

[0082] Similarly, since x2 is equal to 13 (x2 = 13) when i is equal to 2 (i = 2), there is obtained (9 + y) by calculating a greater common equation among f (13, y) and g (13, y). Then, there is obtained y2,1 = 8 by solving 9 + y = 0.

[0083] Since x3 is equal to 5 (x3 = 5) when i is equal to 3 (i = 3), there is obtained (7 + y) by calculating a greater common equation among f (5, y) and g (5, y). Then, there is obtained y3,1 = 10 by solving 7 + y = 0.

[0084] Since x4 is equal to 4 (x4 = 4) when i is equal to 4 (i = 4), there is obtained (9 + y) by calculating a greater common equation among f (4, y) and g (4, y). Then, there is obtained y4,1 = 8 by solving 9 + y = 0.

[0085] Since x5 is equal to 3 (x5 = 3) when i is equal to 5 (i = 5), there is obtained (7 + y) by calculating a greater common equation among f (3, y) and g (3, y). Then, there is obtained y5,1 = 10 by solving 7 + y = 0.

[0086] Since x6 is equal to 2 (x6 = 2) when i is equal to 6 (i = 6), there is obtained y by calculating a greater common equation among f (2, y) and g (2, y). Then, there is obtained y6,1 = 0 by solving y = 0.

[0087] Since x7 is equal to 1 (x7 = 1) when i is equal to 7 (i = 7), there is obtained (9 + y) by calculating a greater common equation among f (1, y) and g (1, y). Then, there is obtained y7,1 = 8 by solving 9 + y = 0.

[0088] Since x8 is equal to α1 (x8 = α1) when i is equal to 8 (i = 8), there is obtained (8 + 8α1 + y) by calculating a greater common equation among f (α1, y) and g(α1, y). Then, there is obtained y8, 1 = 9 + 9 α1 by solving 8 + 8 α1 + y = 0.

[0089] Since x9 is equal to α2 (x9 = α2) when i is equal to 9 (i = 9), there is obtained (8 + 8 α2 + y) by calculating a greater common equation among f (α2, y) and g (α 2, y). Then, there is obtained y9,1= 9 + 9α2 by solving 8 + 8α2 + y = 0.

[0090] Then, in step 74, the second device 22 for operating an intersection-set outputs the bivector S1 = ((0, 1), (13, 8), (5, 10), (4, 8), (3, 10), (2, 0), (1, 8), ( α1, 9 + 9 α1), (α2, 9 + 9 α2)) comprised of coordinate value row of points in a point-set {(xi, yi, j), 1≦i≦n, 1≦j ≦mi}.

[0091] Then, with reference to Fig. 3, the central processing unit 27 temporarily stores the bivector S1 transmitted from the second device 22, in the memory 24. Then, the central processing unit 27 receives the bivector T1 from the first storage file, and the bivector S1 from the fourth storage file, and transmits them to the third device 23 for calculating a difference-set.

[0092] The third device 23 for calculating a difference-set subtracts a point-set {(0, 1), (1, 8), (2, 0), (3, 10), (4, 8), (5, 10)} represented by the bivector T1 from a point-set {(0, 1), (13, 8), (5, 10), (4, 8), (3, 10), (2, 0), (1, 8), (α 1, 9 + 9 α1), (α2, 9 + 9 α2)} represented by the bivector S1 to thereby have a difference-set {(13, 8), (α1, 9 + 9 α1), (α2, 9 + 9 α2)}, and then, outputs a bivector T2 = ((13, 8), (α1, 9 + 9α1), (α2' 9 + 9α2)) comprised of a coordinate value row of points in the thus obtained difference-set.

[0093] Then, the central processing unit 27 outputs the thus obtained bivector T2 to the sixth device 26.

[0094] Then, with reference to Fig. 1, the central processing unit 16 temporarily stores the bivector T2 transmitted from the second device 12, in the memory 13. Then, the central processing unit 16 receives the bivector T2 from the fifth storage file, and the parameter A from the third storage file, and transmits them again to the second device 12 for converting a point-set.

[0095] The second device 12 makes an operation in the same manner as mentioned earlier to thereby output the bivector X3 = ((1, 8), (β1, 14 + 8β1), (β2, 14 + 8β2)) which, when the bivector T2 is supposed to be the coordinate value row of points on a curve defined with the parameter A, is comprised of the coordinate value row of points in a point-set indicative of the inverse of the point-set indicated by T2 in the Jacobian group of the curve defined with the parameter A. In the bivector X3, β1 and β2 are solutions to a quadratic irreducible equation 14 + 10x + x2 = 0.

[0096] Then, the central processing unit 16 transmits the thus calculated bivector X3 to the fifth device 15.

[Apparatus for doubling a bivector]



[0097] Hereinbelow is explained an embodiment of the apparatus for doubling a bivector, in accordance with the present invention.

[0098] The apparatus for doubling a bivector in accordance with the embodiment operates and outputs a bivector Y which, when a bivector X is supposed to be the coordinate value row of points in a point-set Q on a curve defined with a parameter A, is comprised of the coordinate value row of points in a point-set R equal to a doubled Q in the Jacobian group of the curve defined with the parameter A. This apparatus can be accomplished in a computer.

[0099] Fig. 8 is a block diagram of the apparatus for doubling a bivector, in accordance with the present embodiment. Fig. 9 is a flow chart illustrating the operation made by the apparatus for doubling a bivector.

[0100] As illustrated in Fig. 8, the apparatus for doubling a bivector in accordance with the embodiment is comprised of an apparatus 31 for summing bivectors, a memory 32, an input device 33, an output device 34, and a central processing unit 35.

[0101] The apparatus 31 for summing bivectors is the same as the apparatus for summing bivectors illustrated in Fig. 1. The memory 32 includes a first storage file for storing a bivector X therein, a second storage file for storing a bivector Xa therein, and a third storage file for storing the parameter A therein.

[0102] It should be noted that the central processing unit 16, the fourth device 14 for inputting data therethrough, the fifth device 15 for outputting results therethrough, and the memory 13 in the apparatus for summing bivectors, illustrated in Fig. 1 may be used as the central processing unit 35, the input device 33, the output device 34, and the memory 32, respectively.

[0103] Hereinbelow is explained the operation of the apparatus for doubling a bivector, in accordance with the embodiment, with reference to Fig. 8. In the apparatus for doubling a bivector, illustrated in Fig. 8, it is supposed that a bivector X = ((0, 1), (1, 8), (2, 0)) on a finite field GF(17), and a parameter A = (3, 4, -1, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1) defining a curve y3 = F (x) = x4 + 1 on the finite field GF(17) are input to the apparatus through the input device 33. The data format of the parameter A is as shown in Fig. 5.

[0104] The central processing unit 35 temporarily stores the bivector X, the bivector Xa which is a copy of the bivector X, and the parameter A in the memory 32.

[0105] Then, the central processing unit 35 receives the bivector X from the first storage file, the bivector Xa from the second storage file, and the parameter A from the third storage file, and transmits them to the apparatus 31 for summing bivectors to thereby obtain a bivector X2 = ((7, 11), (11, γ1), (11, γ2)) wherein γ1 and γ2 are solutions to a quadratic irreducible equation x2 + 11x + 2 = 0.

[0106] Then, the central processing unit 35 transmits the thus obtained bivector X2 to the output device 34.

[Apparatus for multiplying a bivector by an integer]



[0107] Hereinbelow is explained an apparatus for multiplying a bivector by an integer in accordance with an embodiment of the present invention.

[0108] The apparatus for multiplying a bivector by an integer operates a bivector Z which, when a bivector X comprising a plurality of pairs of elements selected from a predetermined finite field is supposed to be the coordinate value row of points in a point-set Q on a curve defined with a parameter A, is comprised of coordinate value row of points in a point-set R equal to the point-set Q multiplied by an integer N in the Jacobian group of the curve defined with the parameter A. This apparatus can be accomplished in a computer.

[0109] Fig. 10 illustrates an apparatus for multiplying a bivector by an integer, in accordance with an embodiment of the present invention. Fig. 11 is a flow chart of an operation made by the apparatus for multiplying a bivector by an integer.

[0110] The apparatus for multiplying a bivector by an integer, in accordance with the embodiment is comprised of a first apparatus 41 for summing bivectors, a second apparatus 42 for doubling a bivector, a memory 43, an input device 44, an output device 45, and a central processing unit 46.

[0111] The first apparatus 41 for summing bivectors is the same as the apparatus illustrated in Fig. 1. The second apparatus 42 for doubling a bivector is the same as the apparatus illustrated in Fig. 8. The memory 43 includes a first storage file for storing an integer N therein, a second storage file for storing a bivector X therein, a third storage file for storing a bivector Y therein, a fourth storage file for storing a bivector Z therein, a fifth storage file for storing a parameter A therein, a sixth storage file for storing an integer R therein.

[0112] It should be noted that the central processing unit 16, the fourth device 14, the fifth device 15, and the memory 13 in the apparatus for summing bivectors, illustrated in Fig. 1 may be doubled as the central processing unit 46, the input device 44, the output device 46, and the memory 43, respectively.

[0113] Hereinbelow is explained the operation of the apparatus for multiplying a bivector by an integer, with reference to Figs. 10 and 11.

[0114] The input device 44 receives an integer N, a bivector X, and a parameter A defining a curve, and transmits them to the central processing unit 46. The central processing unit 46 stores the integer N in the first storage file, the bivector X in the second storage file, and the parameter A in the fifth storage file of the memory 43 in step 1101 in Fig. 11.

[0115] Then, an empty bivector Z is stored in the fourth storage file as an initial value, and a bivector Y which is a copy of the bivector X is stored in the third storage file of the memory in step 1102 in Fig. 11.

[0116] Then, the central processing unit 46 receives the integer N from the first storage file, and divides the integer N by 2 to thereby obtain a remainder R. The central processing unit 46 renews the sixth storage file with the thus obtained remainder R being used as a new R in step 1103 in Fig. 11. At the same time, the central processing unit 46 receives the integer N from the first storage file, and calculates a quotient obtained when the integer N is divided by 2. The central processing unit 46 renews the first storage file with the thus obtained quotient being used as a new N.

[0117] Then, the central processing unit 46 receives the remainder R from the sixth storage file, and determines whether the remainder R is equal to 1 or not in step 1104.

[0118] If the remainder R is determined to be equal to 1 in step 1104, the central processing unit 46 receives the bivector Y from the third storage file, the bivector Z from the fourth storage file, and the parameter A from the fifth storage file, and transmits the bivectors Y and Z, and the parameter A to the first apparatus for summing bivectors to thereby calculate a sum of the bivectors Y and Z. Then, the central processing unit 46 renews the fourth storage file with the thus obtained sum of the bivectors Y and Z being used as a new bivector Z in step 1105.

[0119] If the remainder R is determined to be unequal to 1 in step 1104, the central processing unit 46 receives the integer N from the first storage file, and then judges whether the integer N is greater than 0 or not in step 1106.

[0120] If the remainder R is judged to be greater than 0 in step 1106, the central processing unit 46 receives the bivector Y from the third storage file, and the parameter A from the fifth storage file, and transmits the bivector Y and the parameter A to the second apparatus 42 for doubling a bivector, to thereby double the bivector Y Then, the central processing unit 46 renews the third storage file with the thus obtained doubled bivector Y being used as a new bivector Y in step 1108. Thereafter, the procedure returns to step 1103.

[0121] If the integer N is judged to be equal to zero in step 1106, the central processing unit 46 receives the bivector Z from the fourth storage file and outputs the bivector Z through the output device 45 in step 1107. The operation of the apparatus for multiplying a bivector by an integer is finished.

[0122] An apparatus for multiplying a bivector by an integer in accordance with the embodiment is detailed with reference to Figs. 10 and 11.

[0123] In the apparatus for multiplying a bivector by an integer, illustrated in Fig. 10, it is supposed that a bivector X = ((0, 1), (1, 8), (2, 0)) on a finite field GF(17), a parameter A = (3, 4, -1, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1) defining a curve y3 = F (x) = x4 + 1 on the finite field GF(17), and an integer N = 5 are input to the apparatus through the input device 44 in step 1101. The data format of the parameter A is as shown in Fig. 5.

[0124] The central processing unit 46 temporarily stores the bivector X, the bivector Y which is a copy of the bivector X, the empty bivector Z, the parameter A, and the integer N in the memory 43 in step 1102.

[0125] Then, the central processing unit 46 receives the integer N from the first storage file, divides the integer N = 5 by 2 to thereby obtain a remainder R = 1, and temporarily stores the thus obtained remainder R in the sixth storage file. Furthermore, the central processing unit 46 receives the integer N from the first storage file, calculates a quotient 2 obtained when the integer N = 5 is divided by 2, and temporarily stores the thus obtained quotient in the first storage file in step 1103.

[0126] Then, the central processing unit 46 receives the remainder R from the sixth storage file, and then, since the remainder R is equal to 1 as determined in step 1104, the central processing unit 46 receives the bivector Y from the third storage file, the bivector Z from the fourth storage file, and the parameter A from the fifth storage file, and transmits the bivectors Y and Z, and the parameter A to the first apparatus 41 for summing bivectors to thereby have a bivector {(0, 1), (1, 8), (2, 0)} as an output from the first apparatus 41. Then, the central processing unit 46 temporarily stores the thus obtained bivector {(0, 1), (1, 8), (2, 0)} in the fourth storage file in step 1105.

[0127] Then, the central processing unit 46 receives the integer N from the first storage file, and then, since the integer N = 2 is greater than 0, as determined in step 1106, the central processing unit 46 receives the bivector Y from the third storage file, and the parameter A from the fifth storage file, and transmits the bivectors Y and Z, and the parameter A to the second apparatus 42 for doubling a bivector to thereby have a bivector {(7, 11), (11, α1), (11, α2)} as an output from the second apparatus 42. Then, the central processing unit 46 temporarily stores the thus obtained bivector {(7, 11), (11, α1), (11, α2)} in the third storage file in step 1108. Herein, α1 and α2 are solutions to a quadratic irreducible equation x2 + 11x + 2 =0.

[0128] Then, the central processing unit 46 receives the integer N from the first storage file, divides the integer N = 2 by 2 to thereby obtain a remainder R = 0, and temporarily stores the thus obtained remainder R in the sixth storage file. Furthermore, the central processing unit 46 receives the integer N from the first storage file, calculates a quotient 1 obtained by dividing the integer N = 2 by 2, and temporarily stores the thus obtained quotient in the first storage file in step 1103.

[0129] Then, the central processing unit 46 receives the integer R from the sixth storage file, and confirms in step 1106 that the integer R is not equal to 1.

[0130] Then, the central processing unit 46 receives the integer N from the first storage file, and then, since the integer N = 1 is greater than 0, as determined in step 1106, the central processing unit 46 receives the bivector Y from the third storage file, and the parameter A from the fifth storage file, and transmits the bivector Y and the parameter A to the second apparatus 42 for doubling a bivector to thereby have bivectors ((β1, 16 + 3β1 + 7β12), (β2, 16 + 3β2 + 7β22), (β3, 16 + 3β3 + 7β32)) as an output from the second apparatus 42. Then, the central processing unit 46 temporarily stores the thus obtained bivectors ((β1, 16 + 3β1 + 7β12), (β2, 16 + 3β2 + 7β22), (β3, 16 + 3β3 + 7β32)) in the third storage file in step 1108. Herein, β1, β2 and β3 are solutions to a tertiary irreducible equation x3 + 14x2 + 6x + 8 =0.

[0131] Then, the central processing unit 46 receives the integer N from the first storage file. Since the integer N is equal to 1, the central processing unit 46 divides the integer N = 1 by 2 to thereby obtain a remainder R = 1, and then, temporarily stores the thus calculated remainder R = 1 in the sixth storage file. Furthermore, the central processing unit 46 receives the integer N from the first storage file, divides the integer N = 1 by 2 to thereby obtain a quotient 0, and then, temporarily stores the thus calculated quotient in the first storage file in step 1103.

[0132] Then, the central processing unit 46 receives the integer R from the sixth storage file, and then, since the integer R is equal to 1, as determined in step 1104, the central processing unit 46 receives the bivector Y from the third storage file, the bivector Z from the fourth storage file, and the parameter A from the fifth storage file, and transmits the bivectors Y and Z, and the parameter A to the first apparatus 41 for summing bivectors to thereby have bivectors ((γ1, 13 + 2 γ1 + 5 γ12), (γ2, 13+2γ2 +5γ22), (γ3, 13 + 2γ3 + 5γ32)) as an output from the first apparatus 41. Then, the central processing unit 46 temporarily stores the thus obtained bivectors ((γ1, 13 + 2γ1 + 5γ12), (γ2, 13 + 2γ2 + 5γ22), (γ3, 13 + 2γ3 + 5γ32)) in the fourth storage file in step 1105. Herein, γ1, γ2 and γ3 are solutions to a tertiary irreducible equation x3 + 8x2 + 7x + 9 =0.

[0133] Then, the central processing unit 46 receives the integer N from the first storage file. Since the integer N is equal to zero, as determined in step 1106, the central processing unit 46 receives the bivector Z from the fourth storage file, and outputs the bivector Z through the output device 45 in step 1108.

[System for distributing a public key]



[0134] A system for distributing a public key in accordance with an embodiment of the present invention is explained hereinbelow with reference to Figs. 12 to 15, wherein Fig. 12 is a block diagram illustrating the system for distributing a public key, in which the apparatus for multiplying a bivector by an integer is employed, Fig. 13 illustrates an example of a center in the system for distributing a public key, illustrated in Fig. 12, Fig. 14 illustrates an example of a user terminal in the system for distributing a public key, illustrated in Fig. 12, and Fig. 15 is a flow chart of the operation made by the system for distributing a public key, in which the apparatus for multiplying a bivector by an integer is employed.

[0135] The system for distributing a public key in accordance with the embodiment is comprised of a single center and a plurality of user terminals, as illustrated in Fig. 12, and carries out steps illustrated in Fig. 15.

[0136] In the system for distributing a public key in accordance with the embodiment, the center in advance informs all the user terminals of a parameter A for defining a curve, and a bivector Q, in step 151.

[0137] A first user terminal U randomly selects an integer Nu, and keeps it secret. Similarly, a second user terminal V selects an integer Nv, and keeps it secret.

[0138] Then, the first user terminal U inputs the integer Nu which is secret data of itself, and the bivector Q and the parameter A both of which are open data, into the apparatus for multiplying a bivector by an integer, and transmits a resultant bivector Qu = Nu × Q to the second user terminal V, in step 152. Similarly, the second user terminal V inputs the integer Nv which is secret data of itself, and the bivector Q the parameter A both of which are open data into the apparatus for multiplying a bivector by an integer, and transmits a resultant bivector Qv = Nv × Q to the first user terminal U, in step 152.

[0139] Then, the first user terminal U inputs the bivector Qv transmitted from the second user terminal V, the integer Nu which is secret data of itself, and the parameter A which is open data into the apparatus for multiplying a bivector by an integer, and keeps a resultant bivector K = Nu × Qv = Nu × Nv × Q as a common key K, in step 153. Similarly, the second user terminal V inputs the bivector Qu transmitted from the first user terminal U, the integer Nv which is secret data of itself, and the parameter A which is open data into the apparatus for multiplying a bivector by an integer, and keeps a resultant bivector K = Nv × Qu = Nv × Nu × Q as a common key K, in step 153.

[0140] Thus, the first and second user terminals U and V can make secret communication therebetween through the use of the common key K in step 154.

[0141] Hereinbelow, an example of the center and the user terminal in the system for distributing a public key is explained.

[0142] As illustrated in Fig. 13, the center 80 is comprised of first means 81 for receiving a request to transmit a bivector and a parameter, and second means 82 for disclosing a bivector and a parameter. When the center 80 receives a request to transmit the bivector Q and the parameter A, from a user terminal through the first means 81, the center 80 discloses the requested bivector Q and parameter A to the user terminal through the second means 82.

[0143] Fig. 14 illustrates an example of the user terminal U 90. The user terminal U 90 is comprised of first means 91 for requesting to transmit a bivector and a parameter, second means 92 for receiving a bivector and a parameter, third means 93 for selecting an integer, an apparatus 94 for multiplying a bivector by an integer, fifth means 95 for outputting a bivector Qu, sixth means 96 for receiving a bivector Qv, seventh means 97 for storing a secret key therein, and eighth means 98 for making a secret communication.

[0144] The first means 91 requests the center to transmit the bivector Q and the parameter both of which have been disclosed.

[0145] The second means 92 receives and retains the bivector Q and the parameter A transmitted from the center in compliance with the request transmitted to the center through the first means 91, and transmits the thus received bivector Q and parameter A to the apparatus 94 for multiplying a bivector by an integer.

[0146] The third means 93 randomly selects an integer Nu, keeps it secret, and transmits the thus selected integer Nu to the apparatus 94 for multiplying a bivector by an integer.

[0147] The apparatus 94 for multiplying a bivector by an integer receives the bivector Q and the parameter A, both of which have been disclosed by the center, from the second means 92, receives the integer Nu from the third means 93, calculates the bivector Qu (Qu = Nu × Q) by multiplying the bivector Q by the integer Nu, and outputs the thus calculated bivector Qu to the fifth means 95.

[0148] The fifth means 95 transmits the bivector Qu calculated by the apparatus 94, to a user terminal V The sixth means 96 receives the bivector Qv transmitted from the user terminal V, and transmits the thus received bivector Qv to the apparatus 94.

[0149] The apparatus 94 for multiplying a bivector by an integer receives the bivector Qv transmitted from the user terminal V, the integer Nu stored in the third means 93 as secret data, and the parameter A stored in the second means 92, calculates a bivector K by multiplying the bivector Qv by the integer Nu, and transmits the thus calculated bivector K to the seventh means 97.

[0150] The seventh means 97 stores the bivector K calculated by the apparatus 94, therein as a secret key.

[0151] The user terminal U 90 can make secret communication with the user terminal V through the use of the bivector K stored in the eighth means 98 as a secret key.

[0152] Then, the system for distributing a public key in accordance with a more detailed embodiment is explained hereinbelow.

[0153] First, the center discloses the parameter A = (3, 4, -1, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1) defining a curve on a finite field GF (17), and the bivector Q ((0, 1), (1, 8), (2, 0)) on the finite field GF (17) in step 151. Since the curve defined with the parameter A has a genus of 3, the present embodiment can have almost the same security as security obtained in a case where a prime number of 173 = 4913 is employed in a conventional DH type method of distributing a public key.

[0154] Then, the user terminals calculate bivectors, and distribute them in step 152. That is, the user terminals U and V request the center 90 to transmit a bivector and a parameter through the first means 91, and as a result, obtain the bivector Q and the parameter A, both of which have been disclosed, through the second means 92. The user terminal U randomly selects and retains the integer Nu = 3 by means of the third means 93. Similarly, the user terminal V randomly selects and retains the integer Nv = 5 by means of the third means 93.

[0155] Then, the user terminal U transmits the integer Nu which is secret data of itself, and the bivector Q and the parameter A both of which are open data to the apparatus 94 for multiplying a bivector by an integer, and transmits a resultant bivector Qu = ((0, 1), (α1, 12 + 3α1), (α2, 12 + 3α2)) output from the apparatus 94, to the user terminal V through the fifth means 95. Herein, α1 and α2 are solutions to a quadratic irreducible equation x2 + 6x + 6 = 0. Similarly, the user terminal V transmits the integer Nv which is secret data of itself, and the bivector Q and the parameter A both of which are open data to the apparatus 94 for multiplying a bivector by an integer, and transmits a resultant bivector Qv = ((γ1, 13 + 2γ1 + 5γ12), (γ2, 13 + 2γ2 + 5γ22); (γ3, 13 + 2γ3 + 5γ32)) output from the apparatus 94, to the user terminal U through the fifth means 95. Herein, γ1, γ2 and γ3 are solutions to a tertiary irreducible equation x3 + 8x2+7x+9=0.

[0156] Then, the common key is made in step 153. That is, the user terminal U receives the bivector Qv from the user terminal V through the sixth means 96, and transmits the thus received bivector Qv, the integer Nu which is stored in the third means 93 as secret data of itself, and the parameter A stored in the second means 92 as open data, to the apparatus 94 for multiplying a bivector by an integer, to thereby obtain a resultant bivector K = ((11, 11), (10, 11), (2, 0)) output from the apparatus 94, as the common key K. The thus obtained common key K is stored in the seventh means 97. Similarly, the user terminal V receives the bivector Qu from the user terminal U, and transmits the thus received bivector Qu, the integer Nv which is secret data of itself, and the parameter A stored in the second means 92 as open data, to the apparatus 94 for multiplying a bivector by an integer, to thereby obtain a resultant bivector K = ((11, 11), (10, 11), (2, 0)) output from the apparatus 94, as the common key K.

[0157] Thus, the user terminals U and V can make secret communication therebetween through the eighth means 98 through the use of the common key K.

[0158] The bivector Q and the parameter A both of which are open data may be managed by a fair third party, for instance, as illustrated in Fig. 12.

[El-Gamal type encryption system]



[0159] An El-Gamal type encryption system in accordance with an embodiment of the present invention is explained hereinbelow with reference to Figs. 16 to 19, wherein Fig. 16 is a block diagram illustrating the El-Gamal type encryption system in which the apparatus for multiplying a bivector by an integer is employed, Fig. 17 illustrates an example of a center in the El-Gamal type encryption system illustrated in Fig. 16, Fig. 18 illustrates an example of a user terminal in the El-Gamal type encryption system illustrated in Fig. 16, and Fig. 19 is a flow chart of an operation made by the El-Gamal type encryption system in which the apparatus for multiplying a bivector by an integer is employed.

[0160] The El-Gamal type encryption system in accordance with the embodiment is comprised of a single center and a plurality of user terminals including a transmitter terminal and a receiver terminal, as illustrated in Fig. 16, and carries out steps illustrated in Fig. 19.

[0161] In the El-Gamal type encryption system in accordance with the embodiment, the center in advance informs all the user terminals of a parameter A for defining a curve, and a bivector Q, in step 191.

[0162] Each of the user terminals U randomly selects an integer Nu, and keeps it secret in step 192. Then, each of the user terminal U inputs the integer Nu which is secret data of itself, and the bivector Q and the parameter A both of which are open data, into the apparatus for multiplying a bivector by an integer, to thereby calculate Qu = Nu × Q in step 193, and informs the other user terminals of the bivector Qu = Nu × Q as a public key, in step 194.

[0163] When a correspondence is to be transmitted, the user terminal U encrypts the correspondence in step 195 in accordance with a predetermined rule through the use of the apparatus for multiplying a bivector by an integer, based on any integer Nu and the public key Qv of the user terminal V to which the correspondence is to be transmitted.

[0164] The user terminal V having been received the encrypted correspondence decrypts the correspondence in accordance with a predetermined rule through the use of the apparatus for multiplying a bivector by an integer, based on the integer Nv kept in secret, in step 196.

[0165] Hereinbelow, an example of the center and the user terminal in the El-Gamal encryption system is explained.

[0166] As illustrated in Fig. 17, the center 100 is comprised of first means 101 for receiving a request to disclose a bivector, a parameter, and a public key, second means 102 for disclosing a bivector, a parameter, and a public key, and third means 103 for receiving a public key.

[0167] The third means 103 receives a public key disclosed by each of the user terminals. When the center 100 receives a request to transmit the bivector Q, the parameter A, and the public key Qu from a user terminal through the first means 101, the center 100 discloses the bivector Q, the parameter A, and the public key Qu stored in the second means 102, to the user terminal making a request, through the second means 102.

[0168] Fig. 18 illustrates an example of the user terminal 110. The user terminal 110 is comprised of first means 111 for requesting to transmit a bivector, a parameter and a public key, second means 112 for receiving a bivector, a parameter and a public key, third means 113 for selecting an integer, an apparatus 114 for multiplying a bivector by an integer, fifth means 115 for transmitting a public key, an apparatus 116 for selecting a random number, seventh means 117 for transmitting a cipher C1, eighth means 118 for transmitting a cipher C2, ninth means 119 for decryption, tenth means 120 for receiving a cipher C1, and eleventh means 121 for receiving a cipher C2.

[0169] The first means 111 requests the center to transmit the bivector Q, the parameter, the public key Qv of other user terminals all of which have been disclosed.

[0170] The second means 112 receives and retains the bivector Q, the parameter A, and the public key Qv having been disclosed, from the center in compliance with the request transmitted to the center through the first means 111, and transmits them to the apparatus 114 for multiplying a bivector by an integer.

[0171] The third means 113 randomly selects an integer Nu, keeps it secret, and transmits the thus selected integer Nu to the apparatus 114 for multiplying a bivector by an integer.

[0172] The apparatus 114 for multiplying a bivector by an integer receives the bivector Q and the parameter A, both of which have been disclosed by the center, from the second means 112, receives the integer Nu from the third means 113, calculates the bivector Qu (Qu = Nu × Q) by multiplying the bivector Q by the integer Nu, and outputs the thus calculated bivector Qu to the fifth means 115.

[0173] The fifth means 115 transmits the bivector Qu to the center 100 to disclose as a public key.

[0174] The sixth means 116 selects a random number Ru, keeps it secret, and transmits the thus selected random number Ru to the apparatus 114 for multiplying a bivector by an integer.

[0175] The apparatus 114 for multiplying a bivector by an integer receives the bivector Q and the parameter A both stored in the second means 112, and the integer Ru stored in the sixth means 116 as secret data, calculates a bivector C1 by multiplying the bivector Q by the integer Ru, and stores the thus calculated bivector C1 in a memory 122 as a cipher C1. The apparatus 114 for multiplying a bivector by an integer further receives the bivector Qv of other user terminals and the parameter A, both stored in the second means 112, and the integer Ru stored in the sixth means 116, calculates a bivector T1 by multiplying the bivector Q by the integer Ru, and transmits the thus calculated bivector T1 to the eighth means 118.

[0176] The eighth means 118 calculates a sum t1 of first elements in each of groups contained in the bivector T1, and adds a correspondence M to the sum t1 to thereby make a cipher C2.

[0177] Thereafter, the ciphers C1 and C2 are transmitted to other user terminals through the seventh and eighth means 117 and 118.

[0178] The user terminal as a receiver receives and retains the ciphers C1 and C2 transmitted from the transmitter user terminal, through the tenth and eleventh means 120 and 121.

[0179] The apparatus 114 for multiplying a bivector by an integer receives the cipher C1 transmitted from the transmitter user terminal and stored in the tenth means 120, the integer Nv stored in the third means 113 as secret data, and the parameter A stored in the second means 112, calculates a bivector T2 by multiplying the bivector C1 by the integer Nv, and transmits the thus calculated bivector T2 to the decryption means 119.

[0180] The decryption means 119 receives the cipher C2 transmitted from the transmitter user terminal and stored in the eleventh means 121, and the bivector T2 calculated by the apparatus 114 for multiplying a bivector by an integer, calculates a sum t2 of first elements in each of groups contained in the bivector T2, and subtracts the thus calculated sum t2 from the cipher C2 to thereby decrypt the correspondence M.

[0181] The El-Gamal type encryption system in accordance with a more detailed embodiment is explained hereinbelow.

[0182] First, the center discloses the parameter A = (3, 4, -1, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1) defining a curve on a finite field GF (17), and the bivector Q ((0, 1), (1, 8), (2, 0)) existing on the finite field GF (17) in step 191. Since the curve defined with the parameter A has a genus of 3, the present embodiment can have almost the same security as security obtained in a case where a prime number of 173 = 4913 is employed in a conventional El-Gamal type encryption system.

[0183] Then, each of the user terminals selects an integer as a secret key in step 192. That is, for instance, a user terminal U randomly selects the integer Nu = 3 by means of the third means 113, and keeps the integer Nu secret. Similarly, the user terminal V randomly selects the integer Nv = 5 by means of the third means 113, and keeps the integer Nv secret.

[0184] Then, each of the user terminals calculates a public key in step 193. That is, for instance, the user terminal U requests the center 100 to transmit the bivector Q and the parameter A thereto through first means 111, and receives the bivector Q and the parameter A, both of which have been disclosed, through the second means 112. Then, the user terminal U transmits the integer Nu which is secret data of itself, and the bivector Q and the parameter A both of which are open data, to the apparatus 114 for multiplying a bivector by an integer, and obtains a resultant bivector Qu = ((0, 1), (α1, 12 + 3 α1), (α2, 12 + 3 α2)) output from the apparatus 114, as a public key. Herein, α1 and α2 are solutions to a quadratic irreducible equation x2 + 6x + 6 = 0.

[0185] Similarly, the user terminal V transmits the integer Nv which is secret data of itself, and the bivector Q and the parameter A both of which are open data, to the apparatus 114 for multiplying a bivector by an integer, and obtains a resultant bivector Qv = ((γ1, 13 + 2 γ1 + 5γ12), (γ2, 13 + 2γ2 + 5 γ22), (γ3, 13 + 2 γ3 + 5γ32) output from the apparatus 114, as a public key. Herein, γ1, γ2 and γ3 are solutions to a tertiary irreducible equation x3 + 8x2 + 7x + 9 = 0.

[0186] Then, each of the user terminals discloses its public key in step 194. For instance, the user terminals U and V disclose the public keys Qu and Qv by transmitting them to the center 100 through the fifth means 115.

[0187] Then, a transmitter encrypts a correspondence, and then, transmits the thus encrypted correspondence to a receiver in step 195. For instance, a user terminal U encrypts a correspondence M = 11, and transmits the encrypted correspondence to a user terminal V, as follows.

[0188] First, the user terminal U establishes a random number Ru = 8 by means of the sixth means 116. Then, the user terminal U inputs the random number Ru stored in the sixth means 116 and known only by the user terminal U, and the bivector Q and the parameter A both stored in the second means 112, into the apparatus 114 for multiplying a bivector by an integer, and stores a resultant bivector C1= ((3, 10), (ε1, 9 + 3ε1), (ε2, 9 + 3ε2)) output from the apparatus 114, in the seventh means 117 as a cipher C1. Herein, ε1 and ε2 are solutions of a quadratic irreducible equation x2 + 7x + 2 = 0.

[0189] Then, the user terminal U requests the center 100 to transmit a public key of the user terminal V, through the first means 111, and as a result, obtains the public key Qv through the second means 112. Then, the user terminal U inputs the random number Ru stored in the sixth means 116 as secret data of the user terminal U, the public key Qv of the user terminal V stored in the second means 112 as open data, and the parameter A into the apparatus 114 for multiplying a bivector by an integer, and calculates a bivector T1.

[0190] The eighth means 118 calculates a total sum t1 = δ1 + δ2 + δ3 = 10 of first elements in each of groups contained in the bivector T1= ((δ1, 4 + 3 δ1 + 14 δ12), (δ2, 4 + 3δ2 + 14 δ22), (δ3, 4 + 3δ3 + 14 δ32)) calculated by the apparatus 114 for multiplying a bivector by an integer, and adds a correspondence M to the total sum t1 to thereby obtain a cipher C2 = M + t1 = 11 + 10 = 4 (mod 17). Herein, δ1, δ2, and δ3 are solutions of a tertiary irreducible equation x3 + 7x2 + 7=0.

[0191] Then, the user terminal U transmits the ciphers C1 and C2 to the user terminal V

[0192] Then, the user terminal V or receiver decrypts the encrypted correspondence in step 196. That is, the user terminal V receives the ciphers C1 and C2 from the user terminal U through the tenth and eleventh means 120 and 121, and retains them. The user terminal V inputs the cipher C1 stored in the tenth means 120, the secret key Nv stored in the third means 113 as secret data, and the parameter A stored in the second means 112 as open data into the apparatus 114 for multiplying a bivector by an integer, to thereby calculate a bivector T2.

[0193] The encryption means 119 calculates a total sum t2 = δ1 + δ2 + δ3 = 10 of first elements in each of groups contained in the bivector T2 = ((δ1, 4 + 3δ1 + 14δ12), (δ2, 4 + 3δ2 + 14δ22), (δ3, 4 + 3δ3 + 14δ32)) calculated by the apparatus 114 for multiplying a bivector by an integer, and subtracts the total sum t2 from the cipher C2 to thereby encrypt the correspondence M = C2 - t2 = 4 - 10 = 11 (mod 17). Herein, δ1, δ2, and δ3 are solutions of a tertiary irreducible equation x3 + 7x2 + 7 = 0.

[0194] The bivector Q, the parameter A, and the public keys Qu and Qv, all of which are open data, may be managed by a neutral third party, as illustrated in Fig. 16, for instance.

[El-Gamal type signature System]



[0195] An El-Gamal type signature system in accordance with an embodiment is explained hereinbelow with reference to Figs. 20 to 24, wherein Fig. 20 is a block diagram illustrating the El-Gamal type signature system in which the apparatus for multiplying a bivector by an integer is employed, Fig. 21 illustrates an example of a center in the El-Gamal type signature system illustrated in Fig. 20, Fig. 22 illustrates an example of a certifier terminal in the El-Gamal type signature system illustrated in Fig. 20, Fig. 23 illustrates an example of a verifier terminal in the El-Gamal type signature system illustrated in Fig. 20, and Fig. 24 is a flow chart of an operation made by the El-Gamal type signature system in which the apparatus for multiplying a bivector by an integer is employed.

[0196] The El-Gamal type signature system in accordance with the embodiment is comprised of a single center, a certifier terminal, and a verifier terminal, as illustrated in Fig. 20, and carries out steps illustrated in Fig. 24.

[0197] In the El-Gamal type signature system in accordance with the embodiment, the center in advance informs all the user terminals of a parameter A for defining a curve, and a bivector Q, in step 241.

[0198] The certifier terminals U randomly selects an integer Nu as a signature key, and keeps it secret in step 242. Then, the certifier terminal U inputs the integer Nu which is secret data of itself, and the bivector Q and the parameter A both of which are open data, into an apparatus for multiplying a bivector by an integer, to thereby calculate Qu = Nu × Q, and informs the other user terminals of the bivector Qu = Nu × Q as a verification key, in step 243.

[0199] Then, the certifier terminal U makes a signature text for a correspondence M in accordance with a predetermined rule by means of the apparatus for multiplying a bivector by an integer, based on any integer and the signature key Nu, in step 244, and thereafter, transmits the signature text and the correspondence M to the verifier terminal V in step 245.

[0200] The verifier terminal V verifies the correspondence M in accordance with a predetermined rule by means of the apparatus for multiplying a bivector by an integer, based on the signature text and the verification key Qu of the user terminal U, in step 246.

[0201] Hereinbelow, examples of the center, the certifier terminal, and the verifier terminal in the El-Gamal type signature system are explained.

[0202] As illustrated in Fig. 21, the center 160 is comprised of first means 161 for receiving a request to transmit a bivector, a parameter, and a verification key, second means 162 for disclosing a bivector, a parameter, and a verification key, and third means 163 for receiving a verification key. The third means 163 receives a disclosed key from a verifier terminal. When the center 160 receives a request to transmit a bivector Q, a parameter A, and a verification key Qu to a certifier or verifier terminal, through the first means 161 from a certifier or verifier terminal, the center 160 transmits the bivector Q, the parameter A, and the verification key Qu stored in the second means, to a terminal making the request.

[0203] Fig. 22 illustrates an example of a certifier terminal. The illustrated certifier terminal 170 is comprised of first means 171 for transmitting a request to transmit a bivector and a parameter, second means 172 for receiving a bivector and a parameter, third means 173 for generating an integer, an apparatus 174 for multiplying a bivector by an integer, fifth means 175 for transmitting a verification key, an apparatus 176 for generating a random number, seventh means 177 for transmitting a signature text R, eighth means 178 for transmitting a signature text S, and ninth means 179 for transmitting a correspondence M.

[0204] The first means 171 requests the center 160 to transmit a bivector Q and a parameter A thereto, both of which have been disclosed.

[0205] The second means 172 receives and retains the bivector Q and the parameter A transmitted from the center 160 in compliance with a request transmitted to the center 160 through the first means 171, and transmits them to the apparatus 174 for multiplying a bivector by an integer.

[0206] The third means 173 randomly selects an integer Nu, keeps the thus selected integer Nu in secret as a signature key, and inputs the signature key Nu into the apparatus 174 for multiplying a bivector by an integer.

[0207] The apparatus 174 for multiplying a bivector by an integer receives the bivector Q and the parameter A, both of which have been disclosed by the center 160, from the second means 172, and the signature key Nu from the third means 173, calculates a bivector Qu (Qu = Q × Nu) by multiplying the bivector Q by the integer Nu, and transmits the thus calculated bivector Qu to the fifth means 175.

[0208] The fifth means 175 transmits the bivector Qu to the center 160 to disclose as a verification key.

[0209] The apparatus 176 for generating a random number generates a random number K, keeps it secret, and transmits the thus generated random number K to the apparatus 174 for multiplying a bivector by an integer.

[0210] The apparatus 174 for multiplying a bivector by an integer receives the bivector Q and the parameter A both stored in the second means 172, and the integer K stored in the sixth means 176 as secret data, calculates a bivector R (R = Q × K) as a signature text by multiplying the bivector Q by the integer K, and stores the thus calculated bivector R as a signature text in both the seventh and eighth means 177 and 178.

[0211] The eighth means 178 receives the bivector R (R = Q × K) from the apparatus 174, the random number K from the apparatus 176, the integer Nu from the third means 173, and the correspondence M from the ninth means 179, and calculates the signature text S = (M - Nu × x (R))K-1 mod O (Q) as a second signature text. Herein, x (R) indicates the total sum of first elements in each of the groups contained in the bivector R, and O (Q) indicates an order number of the bivector Q.

[0212] The ninth means 179 retains the correspondence M, and transmits the correspondence M to the eighth means 178.

[0213] Then, the signature texts R and S, and the correspondence M are transmitted to the verifier terminal through the seventh, eighth, and ninth means, respectively.

[0214] Fig. 23 illustrates an example of a verifier terminal. The illustrated verifier terminal 180 is comprised of first means 181 for transmitting a request to transmit a bivector, a parameter, and a verification key, second means 182 for receiving a bivector, a parameter, and a verification key, an apparatus 183 for multiplying a bivector by an integer, an apparatus 184 for summing bivectors, fifth means 185 for receiving a signature text R, sixth means 186 for receiving a signature text S, seventh means 187 for receiving a correspondence M, a first storage means 188 for storing a bivector T1 therein, a second storage means 189 for storing a bivector T2 therein, a third storage means 190 for storing a bivector T3 therein, a fourth storage means 191 for storing a bivector T4 therein, and verification means 192 for carrying out verification.

[0215] The first means 181 requests the center 160 to transmit a bivector Q, a parameter A, and a verification key thereto, all of which have been disclosed.

[0216] The second means 182 receives and retains the bivector Q, the parameter A, and the verification key Qu transmitted from the center 160 in compliance with a request transmitted to the center 160 through the first means 181, and transmits them to the apparatus 183 for multiplying a bivector by an integer.

[0217] The apparatus 183 for multiplying a bivector by an integer receives the bivector Q and the parameter A, both of which have been disclosed by the center 160, through the second means 182, and the correspondence M from the seventh means 187, calculates the bivector T1 (T1 = Q × M) by multiplying the bivector Q by the correspondence M, and transmits the thus calculated bivector T1 to the eighth means 188 for storing therein.

[0218] The apparatus 183 for multiplying a bivector by an integer receives the sum x (R) of first elements in each of groups contained in the bivector R, from the fifth means 185, and the verification key Qu and the parameter A, both of which have been disclosed by the center 160, from the second means 182, calculates the bivector T2 = x (R) × Qu by multiplying the sum x (R) by the verification key Qu, and transmits the thus calculated bivector T2 to the second storage means 189 for storing therein.

[0219] The apparatus 183 for multiplying a bivector by an integer receives the bivector R from the fifth means 185, the signature text S from the sixth means 186, and the parameter A, which have been disclosed by the center 160, from the second means 182, calculates the bivector T3 = S x R by multiplying the bivector R by the signature text S, and transmits the thus calculated bivector T3 to the third storage means 190 for storing therein.

[0220] The apparatus 184 for summing bivectors receives the bivector T2 from the second storage means 189, the bivector T3 from the third storage means 190, and the parameter A from the second means 182, calculates the bivector T4 (T4 = T2 + T3) by summing the bivectors T2 and T3, and transmits the thus calculated bivector T4 to the fourth storage means 191 for storing therein.

[0221] The verification means 192 confirms whether the bivector T1 stored in the first storage means 188 is identical with the bivector T4 stored in the fourth storage means 191, to thereby verify whether the correspondence M is made by the certifier terminal U.

[0222] The El-Gamal type signature system in accordance with a more detailed embodiment is explained hereinbelow.

[0223] First, the center 160 discloses the parameter A = (3, 4, -1, 0, 0, 0, 0, 0, 0, 0, 0, 1, -1) defining a curve on a finite field GF (17), and the bivector Q ((0, 1), (1, 8), (2, 0)) existing on the finite field GF (17), in step 241. Since the curve defined with the parameter A has a genus of 3, the present embodiment can have almost the same security as security obtained in a case where a prime number of 173 = 4913 is employed in a conventional El-Gamal type signature system.

[0224] Then, a certifier selects an integer as a signature key in step 242. For instance, a certifier terminal U randomly selects the integer Nu = 3 as a signature key by means of the third means 173, and keeps the integer Nu secret as a signature key.

[0225] Then, the certifier calculates a verification key, and discloses it, in step 243. That is, for instance, the certifier terminal U requests the center 160 to transmit the bivector Q and the parameter A thereto through first means 171, and receives the bivector Q and the parameter A, both of which have been disclosed, through the second means 172. Then, the certifier terminal U transmits the integer Nu which is secret data of itself, and the bivector Q and the parameter A both of which are open data, to the apparatus 174 for multiplying a bivector by an integer, obtains a resultant bivector Qu = ((0, 1), (α1, 12 + 3α1), (α2, 12 + 3α2)) output from the apparatus 144, as a verification key, and stores the thus obtained bivector Qu as a verification key in the fifth means 175. Herein, α 1 and α2 are solutions to a quadratic irreducible equation x2 + 6x + 6 = 0.

[0226] The fifth means 175 transmits the bivector or verification key Qu to the center 160 for disclosing.

[0227] Then, the certifier terminal U makes signature texts R and S for the correspondence M, in step 244. For instance, the certifier terminal U makes the signature texts R and S for a correspondence M = 11, as follows.

[0228] First, the certifier terminal U establishes a random number K = 7 by means of the sixth means 176. Then, the certifier terminal U inputs the random number K stored in the sixth means 176 as secret data, the bivector Q and the parameter A both stored in the second means 172 as open data, into the apparatus 174 for multiplying a bivector by an integer, to thereby calculate a bivector R = Q × K by multiplying the bivector Q by the random number K, and transmits the resultant bivector R = ((3, 7), (ε1, 9 + 3ε1), (ε2, 9 + 3ε2)) output from the apparatus 174, both to the seventh means 117 and the eighth means 118 as a signature text R. Herein, ε1 and ε2 are solutions of a quadratic irreducible equation x2 + 7x + 2 = 0.

[0229] Then, the certifier terminal U transmits the signature text R = Q × K from the apparatus 174 for multiplying a bivector by an integer, the random number K from the apparatus 176 for generating a random number, the integer Nu from the third means 173, and the correspondence M from the ninth means 179, to the eighth means 178, to thereby S = (M - Nu × x (R))K-1 mod O(Q) as a second signature text. Herein, x (R) indicates a total sum of first elements in each of groups contained in the bivector R, and O(Q) indicates an order number of the bivector Q.

[0230] In the present embodiment, since x (R) and O(Q) have values as follows, the signature text S is calculated as follows.





Then, the certifier terminal U transmits the signature texts R and S, and the correspondence M to the verifier terminal V in step 245 through seventh, eighth, and ninth means 177, 178 and 179, respectively.

[0231] Then, the verifier terminal V verifies whether an equation M × Q = × (R) × Qu + S × R is established or not, in step 246.

[0232] That is, the verifier terminal V requests the center 160 to transmit the bivector Q and the parameter A, through the first means 181, and as a result, obtains the bivector Q and the parameter A through the second means 182. Then, the verifier terminal V inputs the correspondence M received through the seventh means 187, and the bivector Q and the parameter A both received as open data through second means 182, into the apparatus 183 for multiplying a bivector by an integer, to thereby calculate a bivector T1 = M × Q by multiplying the bivector Q by the correspondence M. The verifier terminal V stores the resultant bivector T1 = ((η1, 13 + 15 η1 + 13 η 12), (η2, 13 + 15 η2 + 13 η22), (η3, 13 + 15 η3 + 13 η32) in the first storage means 188. Herein, η1, η2, and η3 are solutions of a tertiary irreducible equation x3 + 8x + 1 = 0.

[0233] The verifier terminal V further requests the center 160 to transmit the verification key Qu of the certifier terminal U through the first means 181, and as a result, obtains the verification key Qu through the second means 182. Then, the verifier terminal V inputs the total sum x (R) = 9 of first elements in each of groups contained in the bivector R received through the fifth means 185, and the verification key Qu of the certifier terminal U and the parameter A both received as open data through second means 182, into the apparatus 183 for multiplying a bivector by an integer, to thereby calculate a bivector T2 = x (R) × Qu by multiplying the total sum x (R) by the verification key Qu. The verifier terminal V stores the resultant bivector T2 = ((2, 0), (θ1, 4 + 16θ1), (θ2, 4 +16θ2), (θ3, 4 + 16 θ3)) in the second storage means 189. Herein, θ1, θ2, and θ3 are solutions of a quadratic irreducible equation x2 + 7x + 2 = 0.

[0234] The verifier terminal V further inputs the signature texts S and R having been received from the fifth and sixth means 185 and 186, respectively, and the parameter A having been received through second means 182 as open data, into the apparatus 183 for multiplying a bivector by an integer, to thereby calculate the bivector T3 = R × S by multiplying the signature text S by the signature text R. The verifier terminal V stores the resultant bivector T3 = ((

, 12 + 6

+ 15

), (

, 12+6

+ 15

), (

, 12+6

+15

) in the third storage means 190. Herein,

,

, and

are solutions of a tertiary irreducible equation x3 + 10x2 + 15x + 12 = 0.

[0235] The verifier terminal V further inputs the bivectors T2 and T3 from the second and third storage means 189 and 190, respectively, and the parameter A, which is open data, from second means 182, into the apparatus 184 for summing bivectors, to thereby calculate the bivector T4 by summing T1 to T2 (T4 = T1 + T2). The verifier terminal V stores the resultant bivector T4 = ((η1, 13 + 15 η1 + 13 η12), (η2, 13 + 15 η2 + 13 η22), (η3, 13 + 15 η3 + 13 η32)) in the fourth storage means 191.

[0236] The verifier terminal V inputs the bivectors T1 and T4 into the verification means 192 from the first and fourth storage means 188 and 191, respectively, to thereby confirm whether the bivector T1 is identical with the bivector T4. If they are identical with each other, the verifier terminal V verifies that the correspondence M has been made by the certifier terminal U.

[0237] The bivector Q, the parameter A, and the verification key Qu, all of which are open data, may be managed by a neutral third party, as illustrated in Fig. 20, for instance.

[0238] Hereinbelow is explained an embodiment of a recording medium storing a program therein for accomplishing the above-mentioned apparatus for summing bivectors, apparatus for multiplying a bivector by an integer, system for encrypting a public key, in which the apparatus for multiplying a bivector by an integer is employed, El-Gamal type encryption system, or El-Gamal type signature system.

[0239] A recording medium storing a program for accomplishing the above-mentioned apparatus for summing bivectors, apparatus for multiplying a bivector by an integer, a system for encrypting a public key, in which the apparatus for multiplying a bivector by an integer is employed, an El-Gamal type encryption system, of an El-Gamal type signature system may be accomplished by programming functions of the above-mentioned apparatuses and systems with a programming language readable by a computer, and recording the program in a recording medium such as CD-ROM, a floppy disc, a magnetic tape, and any other suitable means for storing a program therein.

[0240] As a recording medium may be employed a hard disc equipped in a server. It is also possible to accomplish the recording medium in accordance with the present invention by storing the above-mentioned computer program in a recording medium as mentioned above, and reading that computer program by other computers through a network.

[0241] In accordance with the conventional system for encrypting a public key, to be used for making secret communication in open network, it was necessary to use a prime number having an order of about 300. To the contrary, the present invention makes it possible to use a prime number having a smaller order. For instance, when a curve having a genus of 3 is selected, a prime number having an order of 100 can be used. Thus, the present invention provides apparatuses or systems for encrypting a public key, which are smaller in size, but have sufficient strength with respect to cryptography.


Claims

1. An apparatus for carrying out the addition operation in the Jacobian group of a plane algebraic curve defined over a predetermined finite field, said algebraic curve having a genus G, said addition operation being defined among two sets Q1 and Q2 of any G points on said algebraic curve, said apparatus comprising:

means (14) for inputting a parameter A for defining said algebraic curve, and for inputting bivectors X1 and X2 representing the point-sets Q1 and Q2, respectively;

means (13) for storing the bivector X1 therein, means (13) for storing the bivector X2 therein, and means (13) for storing the parameter A therein,

characterized by

means (11) for calculating a bivector T1, said bivector T1 representing a first point-set resulting from the union of Q1 and Q2;

means (21) for calculating a parameter B determining a particular curve passing through all points belonging to the first point-set;

means (22) for calculating a bivector S1 representing a second point-set defined by the intersection between the algebraic curves defined by the parameters A and B, respectively;

means (23) for calculating a bivector T2 which represents a third point-set obtained by subtracting the first point-set from the second point-set;

means (21) for calculating a parameter C determining a particular curve passing through all points of the third point-set;

means (22) for calculating a bivector S2 representing a fourth point-set defined by the intersection between the algebraic curves defined by the parameters A and C, respectively;

means (23) for calculating a bivector X3 which represents a point-set Q3 obtained by subtracting the third point-set from the fourth point-set;

means (26) for outputting bivector X3 as the result of the addition operation.


 
2. An apparatus according to claim 1, characterized in that parameter B determines a curve defined as having the smallest degree among curves passing through all points belonging to the first point-set.
 
3. An apparatus according to claim 1 or 2, characterized in that parameter C determines a curve defined as having the smallest degree among curves passing through all points belonging to the third point-set.
 
4. An apparatus for doubling a bivector comprising a plurality of pairs of elements selected from a predetermined finite field, the apparatus comprising:

a) means (33) for inputting a bivector X, and a parameter A for defining a curve therethrough;

b) first storage means (32) for storing the bivector X therein;

c) second storage means (32) for storing a bivector Xa which is a copy of the bivector X; and

d) third storage means (32) for storing the parameter A therein,

characterized by

e) a bivector adding device (31) according to any one of claims 1 to 3 for reading the bivector X out of the first storage means (32), the bivector Xa out of the second storage means (32), and the parameter A out of the third storage means (32), and adding the bivector X to the bivector Xa to thereby have a sum of 2X; and

f) means (34) for outputting the bivector 2X operated by the bivector-adding device.


 
5. An apparatus for multiplying a bivector by an integer, the bivector comprising a plurality of pairs of elements selected from a predetermined finite field, the apparatus comprising:

a) means (44) for inputting therethrough an integer N, a bivector X, and a parameter A for defining a curve;

b) first storage means (43) for storing the integer N therein;

c) second storage means (43) for storing the bivector X therein;

d) third storage means (43) for storing a bivector Y which is a copy of the bivector X;

e) fourth storage means (43) for storing a bivector Z therein;

f) fifth storage means (43) for storing the parameter A therein; and

g) sixth storage means (43) for storing an integer R therein,

characterized by

h) a bivector adding device (41) according to one of the claims 1 to 3 for summing bivectors;

(i) a bivector doubling device (42) for doubling a bivector;

j) means (46) for reading the integer N out of the first storage means (43), calculating a remainder R obtained when the integer N is divided by 2; and storing the thus obtained R in the sixth storage means (43);

k) means (46) for reading the integer N out of the first storage means (43), calculating a quotient by dividing the integer N by 2, and storing the thus obtained quotient in the first storage means (43) as a renewed integer N;

l) means (46) for reading the integer R out of the sixth storage means (43),
if the integer R is equal to 1, reading the bivector Y out of the third storage means (43), the bivector Z out of the fourth storage means (43), and the parameter A out of the fifth storage means (43), inputting the bivectors Y and Z and the parameter A into the bivector adding device (41), calculating the sum of the bivectors Y and Z, and storing the thus calculated sum in the fourth storage means (43), and

m) means (46) for reading the integer N out of the first storage means (43),
if the thus read-out integer N is larger than 0, reading the bivector Y out of the third storage means (43) and the parameter A out of the fifth storage means (43), inputting the bivector Y and the parameter A into the bivector doubling device (42), doubling the bivector Y, and storing the thus doubled bivector Y in the third storage means (43), and
if the integer N is equal to 0, reading the bivector Z out of the fourth storage means (43).


 
6. A system for distributing a public key comprising

means for informing all users in advance of a parameter A defining a curve, and a bivector Q comprising a plurality of pairs of elements selected from a predetermined finite field,

means for randomly selecting in a user terminal U an integer Nu and keeping the thus selected integer Nu secret,

means for randomly selecting in a user terminal V an integer Nv and keeping the thus selected integer Nv secret,

means in the user terminal U for transmitting a bivector Qu (Qu = Nu × Q) to the user terminal V, the bivector Qu being obtained by multiplying the bivector Q by the integer Nu through the use of the integer Nu, the bivector Q, and the parameter A,

means in the user terminal V for transmitting a bivector Qv (Qv = Nv × Q) to the user terminal U, the bivector Qv being obtained by multiplying the bivector Q by the integer Nv through the use of the integer Nv, the bivector Q, and the parameter A,

means in the user terminal U for multiplying the bivector Qv by the integer Nu through the use of the bivector Qv having been transmitted from the user terminal V, the integer Nu, and the parameter A, to thereby obtain a bivector K (K = Nu × Qv = Nu × Nv × Q) as a common key K, and

means in the user terminal V for multiplying the bivector Qu by the integer Nv through the use of the bivector Qu having been transmitted from the user terminal U, the integer Nv, and the parameter A, to thereby obtain a bivector K (K = Nv × Qu = Nv × Nu × Q) as a common key K,
characterized by having each multiplication of a bivector by an integer be performed by an apparatus according to claim 5.


 
7. A system for distributing a public key, comprising a center and a plurality of user terminals,
the center (80) comprising:

a) means (81) for receiving a request for a parameter A defining a curve, and a bivector Q comprising a plurality of pairs of elements selected from a predetermined finite field; and

b) means (82) for disclosing the bivector Q and the parameter A to a user terminal making a request,
the user terminal (90) comprising:

a) first means (91) for requesting the center (80) to transmit the bivector Q and parameter A both made open;

b) second means (92) for receiving and retaining the bivector Q and parameter A, and transmitting them to a device for multiplying a bivector by an integer;

c) third means (93) for randomly selecting an integer Nu, keeping the thus selected integer Nu secret, and transmitting the integer Nu to a device for multiplying a bivector by an integer;

d) a device (94) according to claim 5, for multiplying a bivector by an integer, for receiving the bivector Q and the parameter A from the second means (92), receiving the integer Nu from third means (93), and calculating a bivector Qu by multiplying the bivector Q by the integer Nu;

e) fourth means (95) for transmitting the bivector Qu to other user terminals;

f) fifth means (96) for receiving a bivector Qv transmitted from other user terminals, and transmitting the bivector Qv to the device (94);
the device (94) receiving the bivector Qv transmitted from the other user terminals, the integer Nu stored in the third means (93), and the parameter A retained in the second means (92), and multiplying the bivector Qv by the integer Nu to thereby have a bivector K, and

g) sixth means (97) for storing the bivector K as a secret key.


 
8. An El-Gamal type encryption system comprising

means for informing all users in advance of a parameter A defining a curve, and a bivector Q comprising a plurality of pairs of elements selected from a predetermined finite field,

means for randomly selecting in a user terminal U an integer Nu, and keeping the thus selected integer Nu secret,

means in the user terminal U for transmitting a bivector Qu (Qu = Nu × Q) to other users as a public key, the bivector Qu being obtained by multiplying by an apparatus according to claim 5, the bivector Q by the integer Nu through the use of the integer Nu, the bivector Q, and the parameter A,

means in the user terminal U for encrypting a text through the use of the integer Nu and a public key Qv of a user terminal V to which the user terminal U intends to transmit the text, and

means in the user terminal V for having received the thus encrypted text, decrypting the encrypted text through the use of an integer Nv which the user terminal V retains in secret.


 
9. An El-Gamal type encryption system comprising a center and a plurality of user terminals,
the center (100) comprising:

a) first means (101) for receiving public keys disclosed by the user terminals;

b) second means (102) for receiving a request to transmit a parameter A defining a curve, a bivector Q comprising a plurality of pairs of elements selected from a predetermined finite field, a public key Qu to a user terminal; and

c) third means (103) for disclosing the bivector Q, the parameter A, and the public key Qu to the user terminal making the request, when the second means (102) receives the request,
the user terminal as a transmitter, comprising:

a) fourth means (111) for requesting the center to transmit the bivector Q, the parameter A, and the public keys Qv of other user terminals;

b) fifth means (112) for receiving and retaining the bivector Q, the parameter A, and the public key Qv which have been disclosed by the center (100) in accordance with a request from the fourth means (111), and transmitting them to a later mentioned first device (114) for multiplying a bivector by an integer;

c) sixth means (113) for randomly selecting an integer Nu, keeping the thus selected integer Nu secret, and transmitting the integer Nu to said first device (114) for multiplying a bivector by an integer;

d) said first device (114) according to claim 5 provided for multiplying a bivector by an integer, for receiving the bivector Q and the parameter A from the second means (102), receiving the integer Nu from the sixth means (113), and calculating a bivector Qu by multiplying the bivector Q by the integer Nu;

e) seventh means (115) for receiving the bivector Qu from the first device (114), and transmitting the bivector Qu to the center (100) for disclosing as a public key;

f) a second device (116) for selecting a random number Ru and keeping the thus selected random number Ru secret, and transmitting the random number Ru to the first device (114);
the first device (114) receiving the bivector Q transmitted from the second means (102), the parameter A, and the random number Ru stored in the second device (116), and multiplying the bivector Q by the random number Ru to thereby have a bivector C1 as a cipher, and storing the thus made cipher in the first storage means (117),
the first device (114) receiving the public key Qv of other user terminals stored in the second means (102), the parameter A, and the random number Ru, stored in the second device (116), and multiplying the bivector Qv by the random number Ru to thereby have a bivector T1, and transmitting the thus made bivector T1 to the eighth means (118),

g) eighth means (118) for calculating a sum t1 of the first elements in each of the groups included in the bivector T1, and making a cipher C2 to which a message M is added; and

h) ninth means (117) for cooperating with the eighth means (118) to transmit the ciphers C1 and C2 to other user terminals,
the user terminal as a receiver, comprising:

a) tenth means (120, 121) for receiving and retaining the ciphers C1 and C2 transmitted from the user terminals as a transmitter;
the first device (114) receiving the cipher C1, an integer Nv retained in the sixth means (113), and the parameter A, and calculating a bivector T2 by multiplying the bivector C1 by the integer Nv, and

(b) eleventh means (119) for receiving the cipher C2 and the bivector T2, calculating a sum t2 of the first elements in each of the groups included in the bivector T2, and decrypting the message M by subtracting the sum t2 from the cipher C2.


 
10. An El-Gamal type signature system comprising

means for informing all users in advance of a parameter A defining a curve, and a bivector Q comprising a plurality of pairs of elements selected from a predetermined finite field,

means for randomly selecting in a certifier terminal U (170) an integer Nu as a signature key, and keeping the thus selected integer Nu secret,

means in the certifier terminal U (170) for disclosing a bivector Qu (Qu = Nu × Q) as a verification key, the bivector Qu being obtained by multiplying the bivector Q by the integer Nu by an apparatus according to claim 5,

means in the certifier terminal U (170) for making a signature text for a message M through the use of any integer and the signature key Nu, and transmitting the
signature text to a verification terminal V together with the message M, and

means in the verification terminal V (180) for verifying the M through the use of the signature text and the verification key Qu message of the certifier terminal U (170).


 
11. An El-Gamal type signature system comprising a center (160) and a plurality of certifier terminals (170) and verifier terminals (180),
the center comprising:

a) first means (161) for receiving verification keys disclosed by the certifier terminals;

b) second means (163) for receiving a request from one of the certifier and verifier terminals (170, 180) to transmit a bivector Q comprising a plurality of pairs of elements selected from a predetermined finite field, a parameter A defining a curve, and a verification key Qu; and

c) third means (162) for disclosing the bivector Q, the parameter A, and the verification key Qu to the one of the certifier and verifier terminals (170, 180) making the request, when the second means (163) receives the request,
the certifier terminal (170) comprising:

a) fourth means (171) for requesting the center (160) to transmit the bivector Q and the parameter A;

b) fifth means (172) for receiving and retaining the bivector Q and the parameter A which have been disclosed by the center (160) in accordance with a request from the fourth means (171), and transmitting them to a first device (174) for multiplying a bivector by an integer;

c) sixth means (173) for randomly selecting an integer Nu, keeping the thus selected integer Nu secret as a signature key, and transmitting the signature key Nu to said first device (174) for multiplying a bivector by an integer;

d) said first device (174) according to claim 5 being provided for multiplying a bivector by an integer, for receiving the bivector Q and the parameter A from the second means (163), receiving the signature key Nu from the sixth means (173), and calculating a bivector Qu by multiplying the bivector Q by the integer Nu;

e) seventh means (175) for receiving the bivector Qu from the first device (174), and transmitting the bivector Qu to the center (160) for disclosing as a verification key;

f) a second device (176) for selecting a random number K, keeping the thus selected random number K secret, and transmitting the random number K to the first device (174);
the first device (174) receiving the bivector Q and the parameter A transmitted from the second means (163), and the random number K stored in the second device (176), multiplying the bivector Q by the random number K to thereby have a bivector R as a signed text, and storing the signed text R in the eighth means (177); and

g) ninth means (178) for receiving a message M, the signed text R (R=k × Q) from the first device (174), the random number K from the second device (176), and the signature key Nu from the sixth means (173), and calculating S (S = (M-Nu × x (R))K-1 mod O(Q), wherein x (R) indicates a sum of the first elements in each of the groups included in a bivector R, and O(Q) indicates an order of the bivector Q) as a signed text;
the signed text R, the signed text S, and the message M being transmitted to the verifier terminal from the eighth, tenth and ninth means (177, 178, 179),
the verifier terminal (180) comprising:

a) eleventh means (181) for requesting the center (160) to transmit the bivector Q, the parameter A, and the verification key all of which have been disclosed;

b) twelfth means (182) for receiving and retaining the bivector Q, the parameter A, and the verification key Qu. and transmitting them to a
third device (183) for multiplying a bivector by an integer;

c) a third device (183) for multiplying a bivector by an integer, the third device (183) receiving the bivector Q, the parameter A, and the message M, calculating M × Q by multiplying the bivector Q by the M to thereby have a bivector T1 as a result, and storing the thus calculated bivector T1 in the first storage means (188),
the third device (183) receiving a sum x (R) on the first elements in each of the groups included the bivector R having been received from the eighth means (177), receiving the verification key Qu and the parameter A from the twelfth means (182), calculating x (R) × Qu to thereby have a bivector T2 as a result, and storing the thus calculated bivector T2 in the second storage means (189),
the third device (183) receiving the bivector R, the signed text S, and the parameter A, calculating S × R by multiplying the bivector R by the S to thereby have a bivector R3 as a result, and storing the bivector T3 in the third storage means (190);

d) a fourth device (184) for summing bivectors, the fourth device (184) receiving the bivectors T2 and T3, and the parameter A, calculating (T2 + T3) to thereby have a bivector T4 as a result, and storing the thus calculated bivector T4 in the fourth storage means (191); and

e) verification means (192) for confirming whether the bivector T1 stored in the first storage means (188) is identical with the bivector T4 stored in the fourth storage means (191), to thereby verify whether the message M is made by the certifier terminal U (170).


 
12. A recording medium readable by a computer, storing a program therein for accomplishing the system defined in any one of claims 6 to 11, and/or for causing a computer to act as an apparatus defined in any one of claims 1 to 5.
 


Ansprüche

1. Vorrichtung zum Ausführen des Additionsschritts in der Jacobigruppe einer ebenen algebraischen Kurve, die über ein vorbestimmtes endliches Feld definiert ist, wobei die algebraische Kurve einen Genus G aufweist, wobei der Additionsschritt unter zwei Sätzen Q1 und Q2 von beliebigen G Punkten auf der algebraischen Kurve definiert ist,
wobei die Vorrichtung umfasst:

Mittel (14) zum Eingeben eines Parameters A zum Definieren der algebraischen Kurve und zum Eingeben von Bivektoren X1 und X2, die die Punktsätze Q1 bzw. Q2 wiedergeben;

Mittel (13) zum Speichern des Bivektors X1 darin, Mittel (13) zum Speichern des Bivektors X2 darin, und Mittel (13) zum Speichern des Parameters A darin,

gekennzeichnet durch

Mittel (11) zum Berechnen eines Bivektors T1, wobei der Bivektor T1 einen ersten Punktsatz wiedergibt, der aus der Vereinigung von Q1 und Q2 hervorgeht;

Mittel (21) zum Berechnen eines Parameters B, der eine bestimmte Kurve festlegt, die durch alle Punkte verläuft, die zum ersten Punktsatz gehören;

Mittel (22) zum Berechnen eines Bivektors S1, der einen zweiten Punktsatz wiedergibt, der durch den Schnittpunkt zwischen den durch die Parameter A bzw. B definierten algebraischen Kurven definiert ist;

Mittel (23) zum Berechnen eines Bivektors T2, der einen dritten Punktsatz wiedergibt, der durch Subtrahieren des ersten Punktsatzes vom zweiten Punktsatz erhalten wird;

Mittel (21) zum Berechnen eines Parameters C, der eine bestimmte Kurve festlegt, die durch alle Punkte des dritten Punktsatzes verläuft;

Mittel (22) zum Berechnen eines Bivektors S2, der einen vierten Punktsatz wiedergibt, der durch den Schnittpunkt zwischen den durch die Parameter A bzw. C definierten algebraischen Kurven definiert ist;

Mittel (23) zum Berechnen eines Bivektors X3, der einen Punktsatz Q3 wiedergibt, der durch Subtrahieren des dritten Punktsatzes vom vierten Punktsatz erhalten wird;

Mittel (26) zum Ausgeben des Bivektors X3 als Ergebnis des Additionsschritts.


 
2. Vorrichtung nach Anspruch 1, dadurch gekennzeichnet, dass Parameter B eine Kurve bestimmt, die als von Kurven, die durch alle zum ersten Punktsatz gehörenden Punkte verlaufen, den kleinsten Grad aufweisende definiert ist.
 
3. Vorrichtung nach Anspruch 1 oder 2, dadurch gekennzeichnet, dass Parameter C eine Kurve bestimmt, die als von Kurven, die durch alle zum dritten Punktsatz gehörenden Punkte verlaufen, den kleinsten Grad aufweisende definiert ist.
 
4. Vorrichtung zum Verdoppeln eines Bivektors umfassend eine Mehrzahl Elementpaare, die aus einem vorbestimmten endlichen Feld ausgewählt sind, wobei die Vorrichtung umfasst:

a) Mittel (33) zum Eingeben eines Bivektors X und eines Parameters A, um dadurch eine Kurve zu definieren;

b) erste Speichermittel (32), um darin den Bivektor X zu speichern;

c) zweite Speichermittel (32), um einen Bivektor Xa zu speichern, der eine Kopie des Bivektors X ist; und

d) dritte Speichermittel (32), um darin den Parameter A zu speichern,

gekennzeichnet durch

e) eine Bivektoraddiereinrichtung (31) nach einem der Ansprüche 1 bis 3, um den Bivektor X aus dem ersten Speichermittel (32), den Bivektor Xa aus dem zweiten Speichermittel (32) und den Parameter A aus dem dritten Speichermittel (32) auszulesen und den Bivektor X zum Bivektor Xa zu addieren, um dadurch eine Summe 2X zu erhalten; und

f) Mittel (34) zum Ausgeben des von der Bivektoraddiereinrichtung erhaltenen Bivektors 2X.


 
5. Vorrichtung zum Multiplizieren eines Bivektors mit einer ganzen Zahl, wobei der Bivektor eine Mehrzahl Elementpaare umfasst, die aus einem vorbestimmten endlichen Feld ausgewählt sind, wobei die Vorrichtung umfasst:

a) Mittel (44), um dadurch eine ganze Zahl N, einen Bivektor X und einen Parameter A zum Definieren einer Kurve einzugeben;

b) erste Speichermittel (43), um die ganze Zahl N darin zu speichern;

c) zweite Speichermittel (43), um den Bivektor X darin zu speichern;

d) dritte Speichermittel (43), um einen Bivektor Y zu speichern, der eine Kopie des Bivektors X ist;

e) vierte Speichermittel (43), um darin einen Bivektor Z zu speichern;

f) fünfte Speichermittel (43), um darin den Parameter A zu speichern; und

g) sechste Speichermittel (43), um darin eine ganze Zahl R zu speichern,

gekennzeichnet durch

h) eine Bivektoraddiereinrichtung (41) nach einem der Ansprüche 1 bis 3 zum Summieren von Bivektoren;

i) eine Bivektorverdopplungseinrichtung (42) zum Verdoppeln eines Bivektors;

j) Mittel (46) zum Auslesen der ganzen Zahl N aus dem ersten Speichermittel (43), Berechnen eines Rests R, der erhalten wird, wenn die ganze Zahl N durch 2 geteilt wird, und Speichern des so erhaltenen R im sechsten Speichermittel (43);

k) Mittel (46) zum Auslesen der ganzen Zahl N aus dem ersten Speichermittel (43), Berechnen eines Quotienten durch Teilen der ganzen Zahl N durch 2 und Speichern des so erhaltenen Quotienten im ersten Speichermittel (43) als erneuerte ganze Zahl N;

1) Mittel (46) zum Auslesen der ganzen Zahl R aus dem sechsten Speichermittel (43),
wenn die ganze Zahl R gleich 1 ist, Auslesen des Bivektors Y aus dem dritten Speichermittel (43), des Bivektors Z aus dem vierten Speichermittel (43) und des Parameters A aus dem fünften Speichermittel (43), Eingeben der Bivektoren Y und Z und des Parameters A in die Bivektoraddiereinrichtung (41), Berechnen der Summe der Bivektoren Y und Z und Speichern der so berechneten Summe im vierten Speichermittel (43), und

m) Mittel (46) zum Auslesen der ganzen Zahl N aus dem ersten Speichermittel (43),
wenn die so ausgelesene ganze Zahl N größer als 0 ist, Auslesen des Bivektors Y aus dem dritten Speichermittel (43) und des Parameters A aus dem fünften Speichermittel (43), Eingeben des Bivektors Y und des Parameters A in die Bivektorverdopplungseinrichtung (42), Verdoppeln des Bivektors Y und Speichern des so verdoppelten Bivektors Y im dritten Speichermittel (43), und
wenn die ganze Zahl N gleich 0 ist, Auslesen des Bivektors Z aus dem vierten Speichermittel (43).


 
6. System zum Verteilen eines öffentlichen Schlüssels, umfassend
Mittel zum Informieren aller Benutzer im Voraus über einen Parameter A, der eine Kurve definiert, und einen Bivektor Q, der eine Mehrzahl Elementpaare umfasst, die aus einem vorbestimmten endlichen Feld ausgewählt sind,
Mittel zum zufälligen Auswählen einer ganzen Zahl Nu in einem Benutzeranschluss U und Geheimhalten der so ausgewählten ganzen Zahl Nu,
Mittel zum zufälligen Auswählen einer ganzen Zahl Nv in einem Benutzeranschluss V und Geheimhalten der so ausgewählten ganzen Zahl Nv,
Mittel im Benutzeranschluss U zum Senden eines Bivektors Qu (Qu = Nu × Q) an den Benutzeranschluss V, wobei der Bivektor Qu durch Multiplizieren des Bivektors Q mit der ganzen Zahl Nu durch die Verwendung der ganzen Zahl Nu, des Bivektors Q und des Parameters A erhalten wird,
Mittel im Benutzeranschluss V zum Senden eines Bivektors Qv (Qv = Nv × Q) an den Benutzeranschluss U, wobei der Bivektor Qv durch Multiplizieren des Bivektors Q mit der ganzen Zahl Nv durch die Verwendung der ganzen Zahl Nv, des Bivektors Q und des Parameters A erhalten wird,
Mittel im Benutzeranschluss U zum Multiplizieren des Bivektors Qv mit der ganzen Zahl Nu durch die Verwendung des Bivektors Qv, der vom Benutzeranschluss V gesendet wurde, der ganzen Zahl Nu und des Parameters A, um dadurch einen Bivektor K (K = Nu × Qv = Nu × Nv × Q) als gemeinsamen Schlüssel K zu erhalten, und
Mittel im Benutzeranschluss V zum Multiplizieren des Bivektors Qu mit der ganzen Zahl Nv durch die Verwendung des Bivektors Qu, der vom Benutzeranschluss U gesendet wurde, der ganzen Zahl Nv und des Parameters A, um dadurch einen Bivektor K (K = Nv × Qu = Nv × Nu × Q) als gemeinsamen Schlüssel K zu erhalten,
dadurch gekennzeichnet, das jede Multiplikation eines Bivektors mit einer ganzen Zahl durch eine Vorrichtung nach Anspruch 5 durchgeführt wird.
 
7. System zum Verteilen eines öffentlichen Schlüssels, umfassend eine Zentrale und eine Mehrzahl Benutzeranschlüsse,
wobei die Zentrale (80) umfasst:

a) Mittel (81) zum Empfangen einer Anforderung nach einem Parameter A, der eine Kurve definiert, und einem Bivektor Q, der eine Mehrzahl Elementpaare umfasst, die aus einem vorbestimmten endlichen Feld ausgewählt sind; und

b) Mittel (82), um den Bivektor Q und den Parameter A einem Benutzeranschluss zu bekanntzugeben, der eine Anforderung stellt,


wobei der Benutzeranschluss (90) umfasst:

a) erste Mittel (91), um die Zentrale (80) aufzufordern, den Bivektor Q und den Parameter A zu senden, die beide offengelegt sind;

b) zweite Mittel, um den Bivektor Q und den Parameter A zu empfangen und zu halten und sie an eine Einrichtung zum Multiplizieren eines Bivektors mit einer ganzen Zahl zu senden;

c) dritte Mittel (93), um eine ganze Zahl Nu zufällig auszuwählen, die so ausgewählte ganze Zahl Nu geheimzuhalten und die ganze Zahl Nu an eine Einrichtung zum Multiplizieren eines Bivektors mit einer ganzen Zahl zu senden;

d) eine Einrichtung (94) nach Anspruch 5, um einen Bivektor mit einer ganzen Zahl zu multiplizieren, den Bivektor Q und den Parameter A vom zweiten Mittel (92) zu empfangen, die ganze Zahl Nu vom dritten Mittel (93) zu empfangen und durch Multiplizieren des Bivektors Q mit der ganzen Zahl Nu einen Bivektor Qu zu berechnen;

e) vierte Mittel (95) zum Senden des Bivektors Qu an andere Benutzeranschlüsse;

f) fünfte Mittel (96), um einen von anderen Benutzeranschlüssen gesendeten Bivektor Qv zu empfangen und den Bivektor Qv an die Einrichtung (94) zu senden;


wobei die Einrichtung (94) den von den anderen Benutzeranschlüssen gesendeten Bivektor Qv, die im dritten Mittel (93) gespeicherte ganze Zahl Nu und den im zweiten Mittel (92) gehaltenen Parameter A empfängt und den Bivektor Qv mit der ganzen Zahl Nu multipliziert, um dadurch eine Bivektor K zu erhalten, und

g) sechste Mittel (97) zum Speichern des Bivektors K als geheimen Schlüssel.


 
8. Verschlüsselungssystem vom El-Gamal-Typ, umfassend
Mittel zum Informieren aller Benutzer im voraus über einen Parameter A, der eine Kurve definiert, und einen Bivektor Q, der eine Mehrzahl Elementpaare umfasst, die aus einem vorbestimmten endlichen Feld ausgewählt sind,
Mittel zum zufälligen Auswählen einer ganzen Zahl Nu in einem Benutzeranschluss U und Geheimhalten der so ausgewählten ganzen Zahl Nu,
Mittel im Benutzeranschluss U zum Senden eines Bivektors Qu (Qu = Nu × Q) an andere Benutzer als öffentlicher Schlüssel, wobei der Bivektor Qu durch eine Vorrichtung nach Anspruch 5 durch Multiplizieren des Bivektors Q mit der ganzen Zahl Nu durch die Verwendung der ganzen Zahl Nu, des Bivektors Q und des Parameters A erhalten wird,
Mittel im Benutzeranschluss U zum Verschlüsseln eines Textes durch die Verwendung der ganzen Zahl Nu und eines öffentlichen Schlüssels Qv eines Benutzeranschlusses V, an die der Benutzeranschluss U den Text zu senden beabsichtigt, und
Mittel im Benutzeranschluss V, um den so verschlüsselten Text zu empfangen und den verschlüsselten Text durch die Verwendung einer ganzen Zahl Nv, die der Benutzeranschluss V geheimhält, zu entschlüsseln.
 
9. Verschlüsselungssystem vom E1-Gamal-Typ, umfassend eine Zentrale und eine Mehrzahl Benutzeranschlüsse,
wobei die Zentrale (100) umfasst:

a) erste Mittel (101) zum Empfangen von öffentlichen Schlüsseln, die von den Benutzeranschlüssen bekanntgegeben sind;

b) zweite Mittel (102) zum Empfangen einer Anforderung, einen Parameter A, der eine Kurve definiert, einen Bivektor Q, der eine Mehrzahl von aus einem vorbestimmten endlichen Feld ausgewählten Elementpaaren umfasst, und einen öffentlichen Schlüssel Qu an einen Benutzeranschluss zu senden; und

c) dritte Mittel (103) zum Bekanntgeben des Bivektors Q, des Parameters A und des öffentlichen Schlüssels Qu an den Benutzeranschluss, der die Anforderung stellt, wenn das zweite Mittel (102) die Anforderung empfängt,


wobei der Benutzeranschluss als Sender umfasst:

a) vierte Mittel (111), um die Zentrale aufzufordern, den Bivektor Q, den Parameter A und die öffentlichen Schlüssel Qv anderer Benutzeranschlüsse zu senden;

b) fünfte Mittel (112), um den Bivektor Q, den Parameter A und den öffentlichen Schlüssel Qv, die von der Zentrale (140) bekanntgegeben wurden, in Übereinstimmung mit einer Anforderung vom vierten Mittel (111) zu empfangen und zu halten und sie an eine später erwähnte erste Einrichtung (114) zum Multiplizieren eines Bivektors mit einer ganzen Zahl zu senden;

c) sechste Mittel (113), um eine ganze Zahl Nu zufällig auszuwählen, die so ausgewählte ganze Zahl Nu geheimzuhalten und die ganze Zahl Nu an die erste Einrichtung (114) zu senden, um einen Bivektor mit einer ganzen Zahl zu multiplizieren;

d) die erste Einrichtung (114) nach Anspruch 5, die vorgesehen ist, um einen Bivektor mit einer ganzen Zahl zu multiplizieren, den Bivektor Q und den Parameter A vom zweiten Mittel (102) zu empfangen, die ganze Zahl Nu vom sechsten Mittel (113) zu empfangen und einen Bivektor Qu durch Multiplizieren des Bivektors Q mit der ganzen Zahl Nu zu berechnen;

e) siebte Mittel (115), um den Bivektor Qu von der ersten Einrichtung (114) zu empfangen und den Bivektor Qu zur Bekanntgabe als öffentlicher Schlüssel an die Zentrale (100) zu senden;

f) eine zweite Einrichtung (116), um eine Zufallszahl Ru auszuwählen und die so ausgewählte Zufallszahl Ru geheimzuhalten und die Zufallszahl Ru an die erste Einrichtung (114) zu senden;


wobei die erste Einrichtung (114) den vom zweiten Mittel (102) gesendeten Bivektor Q, den Parameter A und die in der zweiten Einrichtung (116) gespeicherte Zufallszahl Ru empfängt und den Bivektor Q mit der Zufallszahl Ru multipliziert, um dadurch einen Bivektor C1 als Verschlüsselung zu erhalten, und die so erstellte Verschlüsselung im ersten Speichermittel (117) speichert,
wobei die erste Einrichtung (114) den im zweiten Speichermittel (102) gespeicherten öffentlichen Schlüssel Qv anderer Benutzeranschlüsse, den Parameter A und die in der zweiten Einrichtung (116) gespeicherte Zufallszahl Ru empfängt und den Bivektor Qv mit der Zufallszahl Ru multipliziert, um dadurch einen Bivektor T1 zu erhalten und den so erstellten Bivektor T1 an das achte Mittel (118) sendet,

g) achte Mittel (118) zum Berechnen einer Summe t1 der ersten Elemente in jeder der im Bivektor T1 enthaltenen Gruppen und Erstellen einer Verschlüsselung C2, zu der eine Nachricht M addiert wird; und

h) neunte Mittel (117) zum Kooperieren mit dem achten Mittel (118), um die Verschlüsselungen C1 und C2 an andere Benutzeranschlüsse zu senden,


wobei der Benutzeranschluss als Empfänger umfasst:

a) zehnte Mittel (120, 121) zum Empfangen und Halten der von den Benutzeranschlüssen als Sender gesendeten Verschlüsselungen C1 und C2;


wobei die erste Einrichtung (114) die Verschlüsselung C1, eine im sechsten Mittel (113) gehaltene ganze Zahl Nv und den Parameter A empfängt und durch Multiplizieren des Bivektors C1 mit der ganzen Zahl Nv einen Bivektor T2 berechnet, und

b) elfte Mittel (119), um die Verschlüsselung C2 und den Bivektors T2 zu empfangen, eine Summe t2 der ersten Elemente in jeder der Gruppen, die im Bivektor T2 enthalten sind, zu empfangen und die Nachricht M durch Subtrahieren der Summe t2 von der Verschlüsselung C2 zu entschlüsseln.


 
10. Signatursystem vom E1-Gamal-Typ, umfassend
Mittel zum Informieren aller Benutzer im Voraus über einen Parameter A, der eine Kurve definiert, und einen Bivektor Q, der eine Mehrzahl von aus einem vorbestimmten endlichen Feld ausgewählten Elementpaaren umfasst,
Mittel zum zufälligen Auswählen einer ganzen Zahl Nu als Signaturschlüssel in einem Bestätigungsanschluss U (170) und Geheimhalten der so ausgewählten ganzen Zahl Nu,
Mittel im Bestätigungsanschluss U (170) zum Bekanntgeben eines Bivektors Qu (Qu = Nu × Q) als Prüfschlüssel, wobei der Bivektor Qu durch Multiplizieren des Bivektors Q mit der ganzen Zahl Nu durch eine Vorrichtung nach Anspruch 5 erhalten wird,
Mittel im Bestätigungsanschluss U (170) zum Erstellen eines Signaturtextes für eine Nachricht M durch die Verwendung einer beliebigen ganzen Zahl und des Signaturschlüssels Nu und Senden des Signaturtextes an einen Prüfanschluss V zusammen mit der Nachricht M und
Mittel im Prüfanschluss V (180) zum Prüfen der Nachricht M durch die Verwendung des Signaturtextes und des Prüfschlüssels Qu des Bestätigungsanschlusses U (170).
 
11. Signatursystem vom E1-Gamal-Typ, umfassend eine Zentrale (160) und eine Mehrzahl Bestätigungsanschlüsse (170) und Prüfanschlüsse (180),
wobei die Zentrale umfasst:

a) erste Mittel (161) zum Empfangen von Prüfschlüsseln, die von den Bestätigungsanschlüssen bekanntgegeben werden;

b) zweite Mittel (163) zum Empfangen einer Anforderung von einem der Bestätigungs- und Prüfanschlüsse (170, 180), einen Bivektors Q umfassend eine Mehrzahl Elementpaare, die aus einem vorbestimmten endlichen Feld ausgewählt wurden, einen Parameter A, der eine Kurve definiert, und einen Prüfschlüssel Qu zu senden; und

c) dritte Mittel (162) zum Bekanntgegeben des Bivektors Q, des Parameters A und des Prüfschlüssels Qu an einen der Bestätigungs- und Prüfanschlüsse (170, 180), der die Anforderung stellt, wenn das zweite Mittel (163) die Anforderung empfängt,


wobei der Bestätigungsanschluss (170) umfasst:

a) vierte Mittel (171) zum Auffordern der Zentrale (160), den Bivektor Q und den Parameter A zu senden;

b) fünfte Mittel (172) zum Empfangen und Halten des Bivektors Q und des Parameters A, die von der Zentrale (160) in Übereinstimmung mit einer Anforderung vom vierten Mittel (171) bekanntgegeben wurden, und Senden derselben an eine erste Einrichtung (174) zum Multiplizieren eines Bivektors mit einer ganzen Zahl;

c) sechste Mittel (173) zum zufälligen Auswählen einer ganzen Zahl Nu, Geheimhalten der so ausgewählten ganzen Zahl Nu als Signaturschlüssel und Senden des Signaturschlüssels Nu an die erste Einrichtung (174) zum Multiplizieren eines Bivektors mit einer ganzen Zahl;

d) wobei die erste Einrichtung (174) nach Anspruch 5 zum Multiplizieren eines Bivektors mit einer ganzen Zahl, zum Empfangen des Bivektors Q und des Parameters A vom zweiten Mittel (163), zum Empfangen des Signaturschlüssels Nu vom sechsten Mittel (173) und zum Berechnen eines Bivektors Qu durch Multiplizieren des Bivektors Q mit der ganzen Zahl Nu vorgesehen ist;

e) siebte Mittel (175) zum Empfangen des Bivektors Qu von der ersten Einrichtung (174) und Senden des Bivektors Qu an die Zentrale (160) zur Bekanntgabe als Prüfschlüssel;

f) eine zweite Einrichtung (176) zum Auswählen einer Zufallszahl K, zum Geheimhalten der so ausgewählten Zufallszahl K und zum Senden der Zufallszahl K an die erste Einrichtung (174);


wobei die erste Einrichtung (174) die den vom zweiten Mittel (163) gesendeten Bivektor Q und den Parameter A und die in der zweiten Einrichtung (176) gespeicherte Zufallszahl K empfängt, den Bivektor Q mit der Zufallszahl K multipliziert, um dadurch einen Bivektor R als signierten Text zu erhalten und den signierten Text R im achten Mittel (177) speichert; und

g) neunte Mittel (178) zum Empfangen einer Nachricht M, des signierten Textes R (R = k × Q) von der ersten Einrichtung (174), der Zufallszahl K von der zweiten Einrichtung (176) und des Signaturschlüssels Nu vom sechsten Mittel (173) und zum Berechnen von S (S = (M-Nu × x(R))K-1 mod O(Q), wobei x(R) eine Summe der ersten Elemente in jeder der Gruppen angibt, die in einem Bivektor R enthalten sind, und O(Q) einen Grad des Bivektors Q als signierter Text angibt;


wobei der signierte Text R, der signierte Text S und die Nachricht M von den achten, zehnten und neunten Mitteln (177, 178, 179) an den Prüfanschluss gesendet werden, wobei der Prüfanschluss (180) umfasst:

a) elfte Mittel (181) zum Auffordern der Zentrale (160), den Bivektor Q, den Parameter A und den Prüfschlüssel zu senden, die alle bekanntgemacht wurden;

b) zwölfte Mittel (182) zum Empfangen und Halten des Bivektors Q, des Parameters A und des Prüfschlüssels Qu und zum Senden derselben an eine dritte Einrichtung (183) zum Multiplizieren eines Bivektors mit einer ganzen Zahl;

c) eine dritte Einrichtung (183) zum Multiplizieren eines Bivektors mit einer ganzen Zahl, wobei die dritte Einrichtung (183) den Bivektor Q, den Parameter A und die Nachricht M empfängt, zum Berechnen von M × Q durch Multiplizieren des Bivektors Q mit M, um dadurch einen Bivektor T1 als Ergebnis zu erhalten und zum Speichern des so berechneten Bivektors T1 im ersten Speichermittel (188),


wobei die dritte Einrichtung (183) eine Summe x(R) der ersten Elemente in jeder der im Bivektor R enthaltenen Gruppen empfängt, die vom achten Mittel (177) empfangen wurden, den Prüfschlüssel Qu und den Parameter A vom zwölften Mittel (182) empfängt, x(R) × Qu berechnet, um dadurch einen Bivektor T2 als Ergebnis zu erhalten und den so berechneten Bivektor T2 im zweiten Speichermittel (189) speichert,
wobei die dritte Einrichtung (183) den Bivektor R, den signierten Text S und den Parameter A empfängt, S × R durch Multiplizieren des Bivektors R mit S berechnet, um dadurch* einen Bivektor R3 als Ergebnis zu erhalten und den Bivektor T3 im dritten Speichermittel (190) speichert;

d) eine vierte Einrichtung (184) zum Summieren von Bivektoren, wobei die vierte Einrichtung (184) die Bivektoren T2 und T3 und den Parameter A empfängt, (T2 + T3) berechnet, um dadurch einen Bivektor T4 als Ergebnis zu erhalten und den so berechneten Bivektor T4 im vierten Speichermittel (191) speichert; und

e) Prüfmittel (192) zum Bestätigen, ob der im ersten Speichermittel (188) gespeicherte Bivektor T1 mit dem im vierten Speichermittel (191) gespeicherten Bivektor T4 identisch ist, um dadurch zu prüfen, ob die Nachricht M durch den Bestätigungsanschluss U (170) erstellt wird.


 
12. Computerlesbares Aufzeichnungsmedium, das darin ein Programm zum Bilden des in einem der Ansprüche 6 bis 11 definierten Systems und/oder zum Veranlassen, dass ein Computer als eine in einem der Ansprüche 1 bis 5 definierte Vorrichtung wirkt, speichert.
 


Revendications

1. Appareil pour effectuer l'opération d'addition dans le groupe Jacobien d'une courbe algébrique plane définie sur un champ fini prédéterminé, ladite courbe algébrique ayant un genre G, ladite opération d'addition étant définie parmi deux jeux Q1 et Q2 de n'importe quels points G sur ladite courbe algébrique, ledit appareil comprenant :

des moyens (14) pour entrer un paramètre A pour définir ladite courbe algébrique, et pour entrer des bivecteurs X1 et X2 représentant les jeux de points Q1 et Q2 respectivement ;

des moyens (13) pour stocker le bivecteur X1 à l'intérieur de ceux-ci, des moyens (13) pour stocker le bivecteur X2 à l'intérieur de ceux-ci, et des moyens (13) pour stocker le paramètre A à l'intérieur de ceux-ci,

caractérisé par

des moyens (11) pour calculer un bivecteur T1, ledit bivecteur T1 représentant un premier jeu de points provenant de l'union de Q1 et de Q2 ;

des moyens (21) pour calculer un paramètre B déterminant une courbe particulière passant à travers tous les points appartenant au premier jeu de points ;

des moyens (22) pour calculer un bivecteur S1 représentant un deuxième jeu de points défini par l'intersection entre les courbes algébriques définies par les paramètres A et B respectivement ;

des moyens (23) pour calculer un bivecteur T2 qui représente un troisième jeu de points obtenu par soustraction du premier jeu de points au deuxième jeu de points ;

des moyens (21) pour calculer un paramètre C déterminant une courbe particulière passant à travers tous les points du troisième jeu de points ;

des moyens (22) pour calculer un bivecteur S2 représentant un quatrième jeu de points défini par l'intersection entre les courbes algébriques définies par les paramètres A et C respectivement ;

des moyens (23) pour calculer un bivecteur X3 qui représente un jeu de points Q3 obtenu par soustraction du troisième jeu de points au quatrième jeu de points ;

des moyens (26) pour délivrer le bivecteur X3 en tant que résultat de l'opération d'addition.


 
2. Appareil selon la revendication 1, caractérisé en ce que le paramètre B détermine une courbe définie comme ayant le plus petit degré parmi les courbes passant à travers tous les points appartenant au premier jeu de points.
 
3. Appareil selon la revendication 1 ou 2, caractérisé en ce que le paramètre C détermine une courbe définie comme ayant le plus petit degré parmi les courbes passant à travers tous les points appartenant au troisième jeu de points.
 
4. Appareil pour doubler un bivecteur comprenant une pluralité de paires d'éléments sélectionnés à partir d'un champ fini prédéterminé, l'appareil comprenant :

a) des moyens (33) pour entrer un bivecteur X, et un paramètre A pour définir une courbe à travers celui-ci ;

b) un premier moyen de stockage (32) pour stocker le bivecteur X à l'intérieur de celui-ci ;

c) un deuxième moyen de stockage (32) pour stocker un bivecteur Xa qui est une copie du bivecteur X ; et

d) un troisième moyen de stockage (32) pour stocker le paramètre A à l'intérieur de celui-ci,
caractérisé par

e) un dispositif d'addition de bivecteurs (31) selon l'une quelconque des revendications 1 à 3 pour lire le bivecteur X dans le premier moyen de stockage (32), le bivecteur Xa dans le deuxième moyen de stockage (32) et le paramètre A dans le troisième moyen de stockage (32), et pour ajouter le bivecteur X au bivecteur Xa pour ainsi avoir une somme de 2X ; et

f) des moyens (34) pour délivrer le bivecteur 2X exploités par le dispositif d'addition de bivecteur.


 
5. Appareil pour multiplier un bivecteur par un entier, le bivecteur comprenant une pluralité de paires d'éléments sélectionnés à partir d'un champ fini prédéterminé, l'appareil comprenant :

a) des moyens (44) pour entrer à travers ceux-ci un entier N, un bivecteur X et un paramètre A pour définir une courbe ;

b) un premier moyen de stockage (43) pour stocker l'entier N dans celui-ci ;

c) un deuxième moyen de stockage (43) pour stocker le bivecteur X dans celui-ci ;

d) un troisième moyen de stockage (43) pour stocker un bivecteur Y qui est une copie du bivecteur X;

e) un quatrième moyen de stockage (43) pour stocker un bivecteur Z dans celui-ci ;

f) un cinquième moyen de stockage (43) pour stocker le paramètre A dans celui-ci ; et

g) un sixième moyen de stockage (43) pour stocker un entier R dans celui-ci,
caractérisé par

h) un dispositif d'addition de bivecteurs (41) selon l'une quelconque des revendications 1 à 3 pour sommer des bivecteurs ;

i) un dispositif de doublement de bivecteur (42) pour doubler un bivecteur ;

j) des moyens (46) pour lire l'entier N dans le premier moyen de stockage (43), pour calculer un reste R obtenu lorsque l'entier N est divisé par 2, et pour stocker le R ainsi obtenu dans le sixième moyen de stockage (43) ;

k) des moyens (46) pour lire l'entier N dans le premier moyen de stockage (43), pour calculer un quotient en divisant l'entier N par 2 et pour stocker le quotient ainsi obtenu dans le premier moyen de stockage (43) sous la forme d'un entier renouvelé N ;

1) des moyens (46) pour lire l'entier R dans le sixième moyen de stockage (43),
si l'entier R est égal à 1, pour lire le bivecteur Y dans le troisième moyen de stockage (43), le bivecteur Z dans le quatrième moyen de stockage (43), et le paramètre A dans le cinquième moyen de stockage (43), pour entrer les bivecteurs Y et Z et le paramètre A dans le dispositif d'addition de bivecteurs (41), pour calculer la somme des bivecteurs Y et Z, et pour stocker la somme ainsi calculée dans le quatrième moyen de stockage (43), et

m) des moyens (46) pour lire l'entier N dans le premier moyen de stockage (43),
si l'entier ainsi lu N est supérieur à 0, pour lire le bivecteur Y dans le troisième moyen de stockage (43) et le paramètre A dans le cinquième moyen de stockage (43), pour entrer le bivecteur Y et le paramètre A dans le dispositif de doublement de bivecteur (42), pour doubler le bivecteur Y, et pour stocker le bivecteur Y ainsi doublé dans le troisième moyen de stockage (43), et
si l'entier N est égal à 0, pour lire le bivecteur Z dans le quatrième moyen de stockage (43).


 
6. Système pour distribuer une clé publique, comprenant :

des moyens pour informer tous les utilisateurs à l'avance d'un paramètre A définissant une courbe, et d'un bivecteur Q comprenant une pluralité de paires d'éléments sélectionnés à partir d'un champ fini prédéterminé,

des moyens pour sélectionner de manière aléatoire dans un terminal utilisateur U un entier Nu et pour maintenir l'entier Nu ainsi sélectionné secret,

des moyens pour sélectionner de manière aléatoire dans un terminal utilisateur V un entier Nv et pour maintenir l'entier Nv ainsi sélectionné secret,

des moyens dans le terminal utilisateur U pour transmettre un bivecteur Qu (Qu = Nu x Q) au terminal utilisateur V, le bivecteur Qu étant obtenu en multipliant le bivecteur Q par l'entier Nu à travers l'utilisation de l'entier Nu, du bivecteur Q et du paramètre A,

des moyens dans le terminal utilisateur V pour transmettre un bivecteur Qv (Qv = Nv x Q) au terminal utilisateur U, le bivecteur Qv étant obtenu en multipliant le bivecteur Q par l'entier Nv à travers l'utilisation de l'entier Nv, du bivecteur Q et du paramètre A,

des moyens dans le terminal utilisateur U pour multiplier le bivecteur Qv par l'entier Nu à travers l'utilisation du bivecteur Qv ayant été transmis à partir du terminal utilisateur V, de l'entier Nu et du paramètre A, pour ainsi obtenir un bivecteur K (K = Nu x Qv = Nu x Nv x Q) en tant que clé commune K, et

des moyens dans le terminal utilisateur V pour multiplier le bivecteur Qu par l'entier Nv à travers l'utilisation du bivecteur Qu ayant été transmis à partir du terminal utilisateur U, de l'entier Nv et du paramètre A, pour ainsi obtenir un bivecteur K (K = Nv x Qu = Nv x Nu x Q) en tant que clé commune K,

caractérisé en ayant chaque multiplication d'un bivecteur par un entier effectuée par un appareil selon la revendication 5.


 
7. Système pour distribuer une clé publique, comprenant un centre et une pluralité de terminaux utilisateurs,
le centre (80) comprenant :

a) des moyens (81) pour recevoir une demande d'un paramètre A définissant une courbe, et un bivecteur Q comprenant une pluralité de paires d'éléments sélectionnés à partir d'un champ fini prédéterminé ; et

b) des moyens (82) pour divulguer le bivecteur Q et le paramètre A à un terminal utilisateur formulant une demande,
le terminal utilisateur (90) comprenant :

a) un premier moyen (91) pour demander au centre (80) de transmettre le bivecteur Q et le paramètre A tous les deux rendus ouverts ;

b) un deuxième moyen (92) pour recevoir et conserver le bivecteur Q et le paramètre A, et pour les transmettre à un dispositif pour multiplier un bivecteur par un entier ;

c) un troisième moyen (93) pour sélectionner de manière aléatoire un entier Nu, pour maintenir l'entier Nu ainsi sélectionné secret, et pour transmettre l'entier Nu à un dispositif pour multiplier un bivecteur par un entier ;

d) un dispositif (94) selon la revendication 5, pour multiplier un bivecteur par un entier, pour recevoir le bivecteur Q et le paramètre A du deuxième moyen (92), pour recevoir l'entier Nu du troisième moyen (93), et pour calculer un bivecteur Qu en multipliant le bivecteur Q par l'entier Nu ;

e) un quatrième moyen (95) pour transmettre le bivecteur Qu à d'autres terminaux utilisateurs ;

f) un cinquième moyen (96) pour recevoir un bivecteur Qv transmis à partir d'autres terminaux utilisateurs, et pour transmettre le bivecteur Qv au dispositif (94) ;
le dispositif (94) recevant le bivecteur Qv transmis des autres terminaux utilisateurs, l'entier Nu stocké dans le troisième moyen (96) et le paramètre A conservé dans le deuxième moyen (92), et multipliant le bivecteur Qv par l'entier Nu pour ainsi avoir un bivecteur K, et

g) un sixième moyen (97) pour stocker le bivecteur K en tant que clé secrète.


 
8. Système de chiffrage de type ElGamal comprenant :

des moyens pour informer tous les utilisateurs à l'avance d'un paramètre A définissant une courbe, et d'un bivecteur Q comprenant une pluralité de paires d'éléments sélectionnés à partir d'un champ fini prédéterminé,

des moyens pour sélectionner de manière aléatoire dans un terminal utilisateur U un entier Nu et pour maintenir l'entier Nu ainsi sélectionné secret,

des moyens dans le terminal utilisateur U pour transmettre un bivecteur Qu (Qu = Nu x Q) à d'autres utilisateurs en tant que clé publique, le bivecteur Qu étant obtenu en multipliant par un appareil selon la revendication 5 le bivecteur Q par l'entier Nu à travers l'utilisation de l'entier Nu, du bivecteur Q et du paramètre A,

des moyens dans le terminal utilisateur U pour chiffrer un texte à travers l'utilisation de l'entier Nu et d'une clé publique Qv d'un terminal utilisateur V auquel le terminal utilisateur U a l'intention de transmettre le texte, et

des moyens dans le terminal utilisateur V ayant reçu le texte ainsi chiffré pour déchiffrer le texte chiffré à travers l'utilisation d'un entier Nv que le terminal utilisateur V conserve en secret.


 
9. Système de chiffrage de type ElGamal comprenant un centre et une pluralité de terminaux utilisateurs,
le centre (100) comprenant :

a) un premier moyen (101) pour recevoir des clés publiques divulguées par les terminaux utilisateurs ;

b) un deuxième moyen (102) pour recevoir une demande pour transmettre un paramètre A définissant une courbe, un bivecteur Q comprenant une pluralité de paires d'éléments sélectionnés à partir d'un champ fini prédéterminé, et une clé publique Qu à un terminal utilisateur ; et

c) un troisième moyen (103) pour divulguer le bivecteur Q, le paramètre A et la clé publique Qu au terminal utilisateur formulant la demande, lorsque le deuxième moyen (102) reçoit la demande,
le terminal utilisateur en tant qu'émetteur comprenant :

a) un quatrième moyen (111) pour demander au centre de transmettre le bivecteur Q, le paramètre A et les clés publiques Qv d'autres terminaux utilisateurs ;

b) un cinquième moyen (112) pour recevoir et conserver le bivecteur Q, le paramètre A et la clé publique Qv qui ont été divulgués par le centre (100) conformément à une demande du quatrième moyen (111), et pour les transmettre à un premier dispositif mentionné par la suite (114) pour multiplier un bivecteur par un entier ;

c) un sixième moyen (113) pour sélectionner de manière aléatoire un entier Nu, pour maintenir l'entier ainsi sélectionné Nu secret, et pour transmettre l'entier Nu au dit premier dispositif (114) pour multiplier un bivecteur par un entier ;

d) ledit premier dispositif (114) selon la revendication 5 fourni pour multiplier un bivecteur par un entier, pour recevoir le bivecteur Q et le paramètre A du deuxième moyen (102), pour recevoir l'entier Nu du sixième moyen (113), et pour calculer un bivecteur Qu en multipliant le bivecteur Q par l'entier Nu ;

e) un septième moyen (115) pour recevoir le bivecteur Qu du premier dispositif (114), et pour transmettre le bivecteur Qu au centre (100) pour sa divulgation en tant que clé publique ;

f) un deuxième dispositif (116) pour sélectionner un nombre aléatoire Ru et pour maintenir le nombre aléatoire Ru ainsi sélectionné secret, et pour transmettre le nombre aléatoire Ru au premier dispositif (114),
le premier dispositif (114) recevant le bivecteur Q transmis à partir du deuxième moyen (102), le paramètre A, et le nombre aléatoire Ru stocké dans le deuxième dispositif (116), et multipliant le bivecteur Q par le nombre aléatoire Ru pour ainsi avoir un bivecteur C1 en tant que code, et stockant le code ainsi constitué dans le premier moyen de stockage (117),
le premier dispositif (114) recevant la clé publique Qv d'autres terminaux utilisateurs stockée dans le deuxième moyen (102), le paramètre A et le nombre aléatoire Ru, stocké dans le deuxième dispositif (116), et multipliant le bivecteur Qv par le nombre aléatoire Ru pour ainsi avoir un bivecteur T1, et transmettant le bivecteur T1 ainsi constitué au huitième moyen (118),

g) un huitième moyen (118) pour calculer une somme t1 des premiers éléments de chacun des groupes compris dans le bivecteur T1, et pour constituer un code C2 auquel une message M est ajoutée ; et

h) un neuvième moyen (117) pour coopérer avec le huitième moyen (118) pour transmettre les codes C1 et C2 aux autres terminaux utilisateurs,
le terminal utilisateur en tant que récepteur comprenant :

a) un dixième moyen (120, 121) pour recevoir et conserver les codes C1 et C2 transmis à partir des terminaux utilisateurs en tant qu'émetteurs ;
le premier dispositif (114) recevant le code C1, un entier Nv conservé dans le sixième moyen (113), et le paramètre A, et calculant un bivecteur T2 en multipliant le bivecteur C1 par l'entier Nv, et

b) un onzième moyen (119) pour recevoir le code C2 et le bivecteur T2, pour calculer une somme t2 des premiers éléments de chacun des groupes compris dans le bivecteur T2, et pour déchiffrer la message M en soustrayant la somme t2 du code C2.


 
10. Système de signature de type ElGamal comprenant :

des moyens pour informer tous les utilisateurs à l'avance d'un paramètre A définissant une courbe, et d'un bivecteur Q comprenant une pluralité de paires d'éléments sélectionnés à partir d'un champ fini prédéterminé,

des moyens pour sélectionner de manière aléatoire dans un terminal certificateur U (170) un entier Nu en tant que clé de signature, et pour maintenir l'entier Nu ainsi sélectionné secret,

des moyens dans le terminal certificateur U (170) pour divulguer un bivecteur Qu (Qu = Nu x Q) en tant que clé de vérification, le bivecteur Qu étant obtenu en multipliant le bivecteur Q par l'entier Nu, par un appareil selon la revendication 5,

des moyens dans le terminal certificateur U (170) pour constituer un texte de signature pour un message M à travers l'utilisation de n'importe quel entier et de la clé de signature Nu, et pour transmettre le texte de signature à un terminal de vérification V avec le message M, et

des moyens dans le terminal de vérification V (180) pour vérifier le message M à travers l'utilisation du texte de signature et de la clé de vérification Qu du terminal certificateur U (170).


 
11. Système de signature de type ElGamal comprenant un centre (160) et une pluralité de terminaux certificateurs (170) et de terminaux vérificateurs (180),
le centre comprenant :

a) un premier moyen (161) pour recevoir des clés de vérification divulguées par les terminaux certificateurs ;

b) un deuxième moyen (163) pour recevoir une demande de l'un des terminaux certificateurs et vérificateurs (170, 180) pour transmettre un bivecteur Q comprenant une pluralité de paires d'éléments sélectionnés à partir d'un champ fini prédéterminé, un paramètre A définissant une courbe, et une clé de vérification Qu ; et

c) un troisième moyen (160) pour divulguer le bivecteur Q, le paramètre A et la clé de vérification Qu à l'un des terminaux certificateurs et vérificateurs (170, 180) formulant la demande, lorsque le deuxième moyen (163) reçoit la demande,
le terminal certificateur (170) comprenant :

a) un quatrième moyen (171) pour demander au centre (160) de transmettre le bivecteur Q et le paramètre A ;

b) un cinquième moyen (172) pour recevoir et conserver le bivecteur Q et le paramètre A qui ont été divulgués par le centre (160) conformément à une demande du quatrième moyen (171), et pour les transmettre à un premier dispositif (174) pour multiplier un bivecteur par un entier ;

c) un sixième moyen (173) pour sélectionner de manière aléatoire un entier Nu, pour maintenir l'entier Nu ainsi sélectionné secret en tant que clé de signature, et pour transmettre la clé de signature Nu au dit premier dispositif (174) pour multiplier un bivecteur par un entier ;

d) ledit premier dispositif (174) selon la revendication 5 étant fourni pour multiplier un bivecteur par un entier, pour recevoir le bivecteur Q et le paramètre A du deuxième moyen (163), pour recevoir la clé de signature Nu du sixième moyen (173) et pour calculer un bivecteur Qu en multipliant le bivecteur Q par l'entier Nu ;

e) un septième moyen (175) pour recevoir le bivecteur Qu du premier dispositif (174), et pour transmettre le bivecteur Qu au centre (160) pour le divulguer en tant que clé de vérification ;

f) un deuxième dispositif (176) pour sélectionner un nombre aléatoire K, pour maintenir le nombre aléatoire K ainsi sélectionné secret, et pour transmettre le nombre aléatoire K au premier dispositif (174) ;
le premier dispositif (174) recevant le bivecteur Q et le paramètre A transmis à partir du deuxième moyen (163), et le nombre aléatoire K stocké dans le deuxième dispositif (176), pour multiplier le bivecteur Q par le nombre aléatoire K pour ainsi avoir un bivecteur R en tant que texte signé, et pour stocker le texte signé R dans le huitième moyen (177) ; et

g) un neuvième moyen (178) pour recevoir un message M, le texte signé R (R = k x Q) du premier dispositif (174), le nombre aléatoire K du deuxième dispositif (176) et la clé de signature Nu du sixième moyen (173), pour calculer S (S = (M-Nu X x(R))K-1 mod O(Q), où x(R) indique une somme des premiers éléments de chacun des groupes compris dans un bivecteur R, et O (Q) indique un ordre du bivecteur Q en tant que texte signé ;
le texte signé R, le texte signé S et le message M étant transmis au terminal vérificateur à partir du huitième, dixième et neuvième moyen (177, 178, 179),
le terminal vérificateur (180) comprenant :

a) un onzième moyen (181) pour demander au centre (160) de transmettre le bivecteur Q, le paramètre A et la clé de vérification qui ont tous été divulgués ;

b) un douzième moyen (182) pour recevoir et conserver le bivecteur Q, le paramètre A et la clé de vérification Qu, et pour les transmettre à un troisième dispositif (183) pour multiplier un bivecteur par un entier ;

c) un troisième dispositif (183) pour multiplier un bivecteur par un entier, le troisième dispositif (183) recevant le bivecteur Q, le paramètre A et le message M, calculant M x Q en multipliant le bivecteur Q par le M pour ainsi avoir un bivecteur T1 en résultat et stockant le bivecteur ainsi calculé T1 dans le premier moyen de stockage (188),
le troisième dispositif (183) recevant une somme x(R) des premiers éléments de chacun des groupes compris dans le bivecteur R ayant été reçu du huitième moyen (177), recevant la clé de vérification Qu et le paramètre A du douzième moyen (182), calculant x(R) x Qu pour ainsi avoir un bivecteur T2 en résultat, et stockant le bivecteur T2 ainsi calculé dans le deuxième moyen de stockage (189),
le troisième dispositif (183) recevant le bivecteur R, le texte signé S et le paramètre A, calculant S x R en multipliant le bivecteur R par le S pour ainsi avoir un bivecteur R3 en résultat, et stockant le bivecteur T3 dans le troisième moyen de stockage (190) ;

d) un quatrième dispositif (184) pour sommer des bivecteurs, le quatrième dispositif (184) recevant les bivecteurs T2 et T3, et le paramètre A, calculant (T2 + T3) pour ainsi avoir un bivecteur T4 en résultat, et stockant le bivecteur ainsi calculé T4 dans le quatrième moyen de stockage (191) ; et

e) des moyens de vérification (192) pour confirmer si le bivecteur T1 stocké dans le premier moyen de stockage (188) est identique au bivecteur T4 stocké dans le quatrième moyen de stockage (191) pour ainsi vérifier si le message M est effectué par le terminal certificateur U (170).


 
12. Support d'enregistrement lisible par un ordinateur, stockant un programme à l'intérieur de celui-ci pour réaliser le système défini dans l'une quelconque des revendications 6 à 11, et/ou pour amener un ordinateur à agir en tant qu'appareil défini dans l'une quelconque des revendications 1 à 5.
 




Drawing